topic Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation) in SASE and Remote Access

Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

Sascha_Bremshey — Mon, 23 Sep 2019 10:04:10 GMT

Hi,

for special internal reasons we currently use "Calculate per user name", whit this the algorithm is clear:
Take the <username> make MD5 hash and the first 12 chars is the MAC used for DHCP requests.

Example:

User: sascha
MD5: a624a33f3501afdc109103d1bdf80840
MAC: A6-24-A3-3F-35-01

This gives us the opportunity to set static DHCP entries for every user.

Now we think about to give static VPN-IPs via DHCP to any connecting machine.
But we need to know the calculated MAC address before user connects.
Tried with 3 different machines and got those MAC addresses

5f:38:13:5c:cd:d9
9d:7b:a3:b6:d3:61
aa:7c:47:4a:f3:bc

I have no Idea how those MACs where calculated.
Any hints from you?

Thanks and best regards,
Sascha

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

G_W_Albrecht — Mon, 23 Sep 2019 10:14:53 GMT

Usually, user connect either using LAN Ethernet Adapter and its MAC or WLAN Adapter and its MAC - so i do not understand your question...

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

Sascha_Bremshey — Mon, 23 Sep 2019 10:35:35 GMT

You are correct user connect with LAN or WIFI and its mac to local network.
Once VPN tunnel is established clients requests IP for Office mode.
Clinet uses therefore no known MAC (nither MAC of LAN nor WIFI adapter). It is a with CP magic calculated mac-address ...

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

Norbert_Bohusch — Mon, 23 Sep 2019 13:39:25 GMT

I don't know how it works for machine, so if it works the same, but for user you can use "vpn macutil".

# vpn macutil sascha
A6-24-A3-3F-35-01, "sascha"

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

G_W_Albrecht — Mon, 23 Sep 2019 14:00:46 GMT

This is explained in Mobile Access Administration Guide R80.30 p.87ff !

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

Sascha_Bremshey — Mon, 23 Sep 2019 14:18:02 GMT

i know vpn macutil and the algorithm is described above: MD5 the usernam and take the first 12 chars.

Need to know the algorithm for the "unique per machine" part.

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

Sascha_Bremshey — Mon, 23 Sep 2019 14:25:41 GMT

Nope in Admin Guide is only described how to enable the magic, but not how the magic is done.

In the end there is a unique MAC address for each connecting client.

I need to know the recipe and don't want to get surprised by any new client.

I need to configure any of our 800 clients in DHCP and IP pool is not allowed.

Works fine with username but in future we want to switch to machines (Same User should be able to login same time with different machines)

/BR

Sascha

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

G_W_Albrecht — Mon, 23 Sep 2019 15:01:02 GMT

Why not ask TAC on how to configure that ?

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

G_W_Albrecht — Mon, 23 Sep 2019 15:04:15 GMT

Mobile Access Administration Guide R80.30 p.87f :

Automatically (Using DHCP) - Specify the machine on which the DHCP server is installed. In addition, specify the virtual IP address to which the DHCP server replies. The DHCP server allocates addresses from the appropriate address range and relates to VPN as a DHCP relay agent. The virtual IP address must be routable to enable the DHCP send replies correctly.

DHCP allocates IP addresses per MAC address. When VPN needs an Office Mode address, it creates a MAC address that represents the client and uses it in the address request. The MAC address can be unique per machine or per user. If it is unique per machine, then VPN ignores the user identity. If different users work from the same Remote Access client they are allocated the same IP address.

---> Looks like the machine MAC visible to the GW is used here...

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

Sascha_Bremshey — Tue, 24 Sep 2019 07:18:58 GMT

Was hoping someone in community would know the answer.
Will turn to TAC...
Thanks so far for sharing your thoughts.

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

DexMorgan — Wed, 20 May 2020 09:26:39 GMT

Hi, did you receive a response from TAC? I have a task similar to yours. I need to know the mac address calculation algorithm per machines. Please share the information.

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

NSerrao — Tue, 26 May 2020 16:40:23 GMT

Hello.

I'm trying to configure this "Unique per machine" but it changes UID every time machine restarts. So, it's more "Unique for boot".

Does yours do the same?

Do you know anything about it?

I'm using "Unique per user" and it's working and keeps same UID.

Best regards.

Nelson

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

Sascha_Bremshey — Wed, 27 May 2020 06:31:23 GMT

The reply for C458715E I got was:

"...Regarding the MAC location, the MAC location is:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CheckPoint\TRAC
The value will be taken from: "fixed_om_mac_address"="0000"
Please let me know if any further clarification is required..."

and

"...Configuring the Registry this is our only option. Regarding IOS, according to sk61866 ;
Note: In OS X, this feature is not supported..."

They won't let us look into their cards 😞

So I still use the good well reverse engineered "Calculate per user name" -> Take the <username>, make MD5 hash and the first 12 chars is the MAC used for DHCP requests.

Once we have same users with diferent devices we chosed the following workaround:

Remote-Access-Client (LDAP and RSA-SecurID) Users are written in lowercase

Capsule VPN Users are authenticated with Certificate and we only enroll UPPERCASE Usernames in Certs.

So I got 2 different MAC for same User and DHCP can provide different fixed IPs

So only thing we have to monitor: No Normal VPN User should ever write uppercase Username, we do this with simple rule:

SRC: <Range of Capsule IPs>
DST: <Software deployment Server>
Action: Reject
Log: Log+Alert(Mail)

No Capsule Client is connecting to Software deployment Server to the Port, so if some Capsule IP is connecting this must be a Normal Client and we got an alarm.

Same way vise versa we do for Remote-Access-Client-Range

Hope this will help someone for a workaround, as CP is not really willing to help.

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

DexMorgan — Wed, 27 May 2020 13:51:41 GMT

Thanks for the answer. Our task is to separate the domain work laptops that connect to the network via VPN, and other home machines that also connect via VPN. We thought to solve it through a dhcp server, but today I realized that this can be achieved with much less effort through Identity Awareness.

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

DexMorgan — Wed, 27 May 2020 14:05:45 GMT

Hello.

I don’t know about the UID, but with the option "Unique per machine" the MAC address generated by the CP did not change after a reboot. It changed, for example, if you reinstall the VPN client or rename the PC from which you are connecting.

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

Sascha_Bremshey — Wed, 27 May 2020 14:09:28 GMT

Now I'm curious.

How can you separate company and home PCs with Identity Awareness.

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

DexMorgan — Wed, 17 Jun 2020 10:42:26 GMT

Create an Access Role, in the Machines option set the OU Computers or Domain Computers Security Group, apply the Access Role in the rule and set the extended rights for PCs covered by this Access Role. For all other PCs that are not in the domain, make a rule with truncated rights by default.

Or am I misunderstanding something? I am new to this profession, and I will be glad to advice. So far we have not implemented this scheme, but we are just going to do it.

Re: Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

Emils_Zeliksons — Sat, 12 Dec 2020 08:13:16 GMT

May I ask you if you managed to separate AD and non AD connected PCs, I am very interested if it is actually possible to achieve separation using the method you propose?

Thanks in advance.

Emil.