This is explained in Mobile Access Administration Guide R80.30 p.87ff !

Nope in Admin Guide is only described how to enable the magic, but not how the magic is done.

In the end there is a unique MAC address for each connecting client.

I need to know the recipe and don't want to get surprised by any new client.

I need to configure any of our 800 clients in DHCP and IP pool is not allowed.

Works fine with username but in future we want to switch to machines (Same User should be able to login same time with different machines)

/BR

Sascha

Mobile Access Administration Guide R80.30 p.87f :

Automatically (Using DHCP) - Specify the machine on which the DHCP server is installed. In addition, specify the virtual IP address to which the DHCP server replies. The DHCP server allocates addresses from the appropriate address range and relates to VPN as a DHCP relay agent. The virtual IP address must be routable to enable the DHCP send replies correctly. 

DHCP allocates IP addresses per MAC address. When VPN needs an Office Mode address, it creates a MAC address that represents the client and uses it in the address request. The MAC address can be unique per machine or per user. If it is unique per machine, then VPN ignores the user identity. If different users work from the same Remote Access client they are allocated the same IP address. 

---> Looks like the machine MAC visible to the GW is used here...

i know vpn macutil and the algorithm is described above: MD5 the usernam and take the first 12 chars.

Need to know the algorithm for the "unique per machine" part.

Why not ask TAC on how to configure that ?

Hi, did you receive a response from TAC? I have a task similar to yours. I need to know the mac address calculation algorithm per machines. Please share the information.

Hello.

I'm trying to configure this "Unique per machine" but it changes UID every time machine restarts. So, it's more "Unique for boot".

Does yours do the same?

Do you know anything about it?

I'm using "Unique per user" and it's working and keeps same UID.

Best regards.

Nelson

Hello.

I don’t know about the UID, but with the option "Unique per machine" the MAC address generated by the CP did not change after a reboot. It changed, for example, if you reinstall the VPN client or rename the PC from which you are connecting.

The reply for C458715E  I got was:

"...Regarding the MAC location, the MAC location is:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CheckPoint\TRAC
The value will be taken from: "fixed_om_mac_address"="0000"
Please let me know if any further clarification is required..."

and

"...Configuring the Registry this is our only option. Regarding IOS, according to sk61866 ;
Note: In OS X, this feature is not supported..."

They won't let us look into their cards 😞

So I still use the good well reverse engineered "Calculate per user name" -> Take the <username>, make MD5 hash and the first 12 chars is the MAC used for DHCP requests.

Once we have same users with diferent devices we chosed the following workaround:

Remote-Access-Client (LDAP and RSA-SecurID) Users are written in lowercase

Capsule VPN Users are authenticated with Certificate and we only enroll UPPERCASE Usernames in Certs.

So I got 2 different MAC for same User and DHCP can provide different fixed IPs 

So only thing we have to monitor: No Normal VPN User should ever write uppercase Username, we do this with simple rule:

• SRC: <Range of Capsule IPs>
• DST: <Software deployment Server>
• Action: Reject
• Log: Log+Alert(Mail)

No Capsule Client is connecting to Software deployment Server to the Port, so if some Capsule IP is connecting this must be a Normal Client and we got an alarm.

Same way vise versa we do for Remote-Access-Client-Range

Hope this will help someone for a workaround, as CP is not really willing to help.

Thanks for the answer. Our task is to separate the domain work laptops that connect to the network via VPN, and other home machines that also connect via VPN. We thought to solve it through a dhcp server, but today I realized that this can be achieved with much less effort through Identity Awareness.

Now I'm curious.

How can you separate company and home PCs with Identity Awareness.

Create an Access Role, in the Machines option set the OU Computers or Domain Computers Security Group, apply the Access Role in the rule and set the extended rights for PCs covered by this Access Role. For all other PCs that are not in the domain, make a rule with truncated rights by default.

Or am I misunderstanding something? I am new to this profession, and I will be glad to advice. So far we have not implemented this scheme, but we are just going to do it.

May I ask you if you managed to separate AD and non AD connected PCs, I am very interested if it is actually possible to achieve separation using the method you propose?

Thanks in advance.

Emil.