Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sascha_Bremshey
Contributor

Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

Hi,

for special internal reasons we currently use "Calculate per user name", whit this the algorithm is clear:
Take the <username> make MD5 hash and the first 12 chars is the MAC used for DHCP requests.

Example:

  • User: sascha
  • MD5: a624a33f3501afdc109103d1bdf80840
  • MAC: A6-24-A3-3F-35-01

This gives us the opportunity to set static DHCP entries for every user.

Now we think about to give static VPN-IPs via DHCP to any connecting machine.
But we need to know the calculated MAC address before user connects.
Tried with 3 different machines and got those MAC addresses

  • 5f:38:13:5c:cd:d9
  • 9d:7b:a3:b6:d3:61
  • aa:7c:47:4a:f3:bc

I have no Idea how those MACs where calculated.
Any hints from you?

 

Thanks and best regards,
Sascha

0 Kudos
17 Replies
G_W_Albrecht
Legend
Legend

Usually, user connect either using LAN Ethernet Adapter and its MAC or WLAN Adapter and its MAC - so i do not understand your question...

CCSE CCTE CCSM SMB Specialist
0 Kudos
Sascha_Bremshey
Contributor

You are correct user connect with LAN or WIFI and its mac to local network.
Once VPN tunnel is established clients requests IP for Office mode.
Clinet uses therefore no known MAC (nither MAC of LAN nor WIFI adapter). It is a with CP magic calculated mac-address ...
0 Kudos
Norbert_Bohusch
Advisor

I don't know how it works for machine, so if it works the same, but for user you can use "vpn macutil".

# vpn macutil sascha
A6-24-A3-3F-35-01, "sascha"

 

 

0 Kudos
G_W_Albrecht
Legend
Legend

This is explained in Mobile Access Administration Guide R80.30 p.87ff !

CCSE CCTE CCSM SMB Specialist
0 Kudos
Sascha_Bremshey
Contributor

Nope in Admin Guide is only described how to enable the magic, but not how the magic is done.

 

In the end there is a unique MAC address for each connecting client.

I need to know the recipe and don't want to get surprised by any new client.

I need to configure any of our 800 clients in DHCP and IP pool is not allowed.

Works fine with username but in future we want to switch to machines (Same User should be able to login same time with different machines)

 

/BR

Sascha

0 Kudos
G_W_Albrecht
Legend
Legend

Mobile Access Administration Guide R80.30 p.87f :

Automatically (Using DHCP) - Specify the machine on which the DHCP server is installed. In addition, specify the virtual IP address to which the DHCP server replies. The DHCP server allocates addresses from the appropriate address range and relates to VPN as a DHCP relay agent. The virtual IP address must be routable to enable the DHCP send replies correctly. 

DHCP allocates IP addresses per MAC address. When VPN needs an Office Mode address, it creates a MAC address that represents the client and uses it in the address request. The MAC address can be unique per machine or per user. If it is unique per machine, then VPN ignores the user identity. If different users work from the same Remote Access client they are allocated the same IP address. 

 

---> Looks like the machine MAC visible to the GW is used here...

CCSE CCTE CCSM SMB Specialist
0 Kudos
Sascha_Bremshey
Contributor

i know vpn macutil and the algorithm is described above: MD5 the usernam and take the first 12 chars.

 

Need to know the algorithm for the "unique per machine" part.

0 Kudos
G_W_Albrecht
Legend
Legend

Why not ask TAC on how to configure that ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
Sascha_Bremshey
Contributor

Was hoping someone in community would know the answer.
Will turn to TAC...
Thanks so far for sharing your thoughts.
0 Kudos
DexMorgan
Explorer

Hi, did you receive a response from TAC? I have a task similar to yours. I need to know the mac address calculation algorithm per machines. Please share the information.

0 Kudos
NSerrao
Explorer

Hello.

I'm trying to configure this "Unique per machine" but it changes UID every time machine restarts. So, it's more "Unique for boot".

Does yours do the same?

Do you know anything about it?

I'm using "Unique per user" and it's working and keeps same UID.

Best regards.

Nelson

0 Kudos
DexMorgan
Explorer

Hello.

I don’t know about the UID, but with the option "Unique per machine" the MAC address generated by the CP did not change after a reboot. It changed, for example, if you reinstall the VPN client or rename the PC from which you are connecting.

0 Kudos
Sascha_Bremshey
Contributor

The reply for C458715E  I got was:

"...Regarding the MAC location, the MAC location is:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CheckPoint\TRAC
The value will be taken from: "fixed_om_mac_address"="0000"
Please let me know if any further clarification is required..."

and

"...Configuring the Registry this is our only option. Regarding IOS, according to sk61866 ;
Note: In OS X, this feature is not supported..."

They won't let us look into their cards 😞

 

So I still use the good well reverse engineered "Calculate per user name" -> Take the <username>, make MD5 hash and the first 12 chars is the MAC used for DHCP requests.

Once we have same users with diferent devices we chosed the following workaround:

Remote-Access-Client (LDAP and RSA-SecurID) Users are written in lowercase

Capsule VPN Users are authenticated with Certificate and we only enroll UPPERCASE Usernames in Certs.

So I got 2 different MAC for same User and DHCP can provide different fixed IPs 

So only thing we have to monitor: No Normal VPN User should ever write uppercase Username, we do this with simple rule:

  • SRC: <Range of Capsule IPs>
  • DST: <Software deployment Server>
  • Action: Reject
  • Log: Log+Alert(Mail)

No Capsule Client is connecting to Software deployment Server to the Port, so if some Capsule IP is connecting this must be a Normal Client and we got an alarm.

Same way vise versa we do for Remote-Access-Client-Range

 

Hope this will help someone for a workaround, as CP is not really willing to help.

0 Kudos
DexMorgan
Explorer

Thanks for the answer. Our task is to separate the domain work laptops that connect to the network via VPN, and other home machines that also connect via VPN. We thought to solve it through a dhcp server, but today I realized that this can be achieved with much less effort through Identity Awareness.

0 Kudos
Sascha_Bremshey
Contributor

Now I'm curious.

How can you separate company and home PCs with Identity Awareness.

0 Kudos
DexMorgan
Explorer

Create an Access Role, in the Machines option set the OU Computers or Domain Computers Security Group, apply the Access Role in the rule and set the extended rights for PCs covered by this Access Role. For all other PCs that are not in the domain, make a rule with truncated rights by default.

Or am I misunderstanding something? I am new to this profession, and I will be glad to advice. So far we have not implemented this scheme, but we are just going to do it.

0 Kudos
Emils_Zeliksons
Explorer

May I ask you if you managed to separate AD and non AD connected PCs, I am very interested if it is actually possible to achieve separation using the method you propose?

Thanks in advance.

Emil.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events