Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Office Mode: Algorithm behind "Unique per machine" (MAC address for DHCP allocation)

Hi,

for special internal reasons we currently use "Calculate per user name", whit this the algorithm is clear:
Take the <username> make MD5 hash and the first 12 chars is the MAC used for DHCP requests.

Example:

  • User: sascha
  • MD5: a624a33f3501afdc109103d1bdf80840
  • MAC: A6-24-A3-3F-35-01

This gives us the opportunity to set static DHCP entries for every user.

Now we think about to give static VPN-IPs via DHCP to any connecting machine.
But we need to know the calculated MAC address before user connects.
Tried with 3 different machines and got those MAC addresses

  • 5f:38:13:5c:cd:d9
  • 9d:7b:a3:b6:d3:61
  • aa:7c:47:4a:f3:bc

I have no Idea how those MACs where calculated.
Any hints from you?

 

Thanks and best regards,
Sascha

0 Kudos
16 Replies
Highlighted
Sapphire

Usually, user connect either using LAN Ethernet Adapter and its MAC or WLAN Adapter and its MAC - so i do not understand your question...

0 Kudos
Highlighted

You are correct user connect with LAN or WIFI and its mac to local network.
Once VPN tunnel is established clients requests IP for Office mode.
Clinet uses therefore no known MAC (nither MAC of LAN nor WIFI adapter). It is a with CP magic calculated mac-address ...
0 Kudos
Highlighted

I don't know how it works for machine, so if it works the same, but for user you can use "vpn macutil".

# vpn macutil sascha
A6-24-A3-3F-35-01, "sascha"

 

 

0 Kudos
Highlighted
Sapphire

This is explained in Mobile Access Administration Guide R80.30 p.87ff !

0 Kudos
Highlighted

Nope in Admin Guide is only described how to enable the magic, but not how the magic is done.

 

In the end there is a unique MAC address for each connecting client.

I need to know the recipe and don't want to get surprised by any new client.

I need to configure any of our 800 clients in DHCP and IP pool is not allowed.

Works fine with username but in future we want to switch to machines (Same User should be able to login same time with different machines)

 

/BR

Sascha

0 Kudos
Highlighted
Sapphire

Mobile Access Administration Guide R80.30 p.87f :

Automatically (Using DHCP) - Specify the machine on which the DHCP server is installed. In addition, specify the virtual IP address to which the DHCP server replies. The DHCP server allocates addresses from the appropriate address range and relates to VPN as a DHCP relay agent. The virtual IP address must be routable to enable the DHCP send replies correctly. 

DHCP allocates IP addresses per MAC address. When VPN needs an Office Mode address, it creates a MAC address that represents the client and uses it in the address request. The MAC address can be unique per machine or per user. If it is unique per machine, then VPN ignores the user identity. If different users work from the same Remote Access client they are allocated the same IP address. 

 

---> Looks like the machine MAC visible to the GW is used here...

0 Kudos
Highlighted

i know vpn macutil and the algorithm is described above: MD5 the usernam and take the first 12 chars.

 

Need to know the algorithm for the "unique per machine" part.

0 Kudos
Highlighted
Sapphire

Why not ask TAC on how to configure that ?

0 Kudos
Highlighted

Was hoping someone in community would know the answer.
Will turn to TAC...
Thanks so far for sharing your thoughts.
0 Kudos
Highlighted
Ivory

Hi, did you receive a response from TAC? I have a task similar to yours. I need to know the mac address calculation algorithm per machines. Please share the information.

0 Kudos
Highlighted
Ivory

Hello.

I'm trying to configure this "Unique per machine" but it changes UID every time machine restarts. So, it's more "Unique for boot".

Does yours do the same?

Do you know anything about it?

I'm using "Unique per user" and it's working and keeps same UID.

Best regards.

Nelson

Tags (1)
0 Kudos
Highlighted
Ivory

Hello.

I don’t know about the UID, but with the option "Unique per machine" the MAC address generated by the CP did not change after a reboot. It changed, for example, if you reinstall the VPN client or rename the PC from which you are connecting.

0 Kudos
Highlighted

The reply for C458715E  I got was:

"...Regarding the MAC location, the MAC location is:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CheckPoint\TRAC
The value will be taken from: "fixed_om_mac_address"="0000"
Please let me know if any further clarification is required..."

and

"...Configuring the Registry this is our only option. Regarding IOS, according to sk61866 ;
Note: In OS X, this feature is not supported..."

They won't let us look into their cards 😞

 

So I still use the good well reverse engineered "Calculate per user name" -> Take the <username>, make MD5 hash and the first 12 chars is the MAC used for DHCP requests.

Once we have same users with diferent devices we chosed the following workaround:

Remote-Access-Client (LDAP and RSA-SecurID) Users are written in lowercase

Capsule VPN Users are authenticated with Certificate and we only enroll UPPERCASE Usernames in Certs.

So I got 2 different MAC for same User and DHCP can provide different fixed IPs 

So only thing we have to monitor: No Normal VPN User should ever write uppercase Username, we do this with simple rule:

  • SRC: <Range of Capsule IPs>
  • DST: <Software deployment Server>
  • Action: Reject
  • Log: Log+Alert(Mail)

No Capsule Client is connecting to Software deployment Server to the Port, so if some Capsule IP is connecting this must be a Normal Client and we got an alarm.

Same way vise versa we do for Remote-Access-Client-Range

 

Hope this will help someone for a workaround, as CP is not really willing to help.

0 Kudos
Highlighted
Ivory

Thanks for the answer. Our task is to separate the domain work laptops that connect to the network via VPN, and other home machines that also connect via VPN. We thought to solve it through a dhcp server, but today I realized that this can be achieved with much less effort through Identity Awareness.

0 Kudos
Highlighted

Now I'm curious.

How can you separate company and home PCs with Identity Awareness.

0 Kudos
Highlighted
Ivory

Create an Access Role, in the Machines option set the OU Computers or Domain Computers Security Group, apply the Access Role in the rule and set the extended rights for PCs covered by this Access Role. For all other PCs that are not in the domain, make a rule with truncated rights by default.

Or am I misunderstanding something? I am new to this profession, and I will be glad to advice. So far we have not implemented this scheme, but we are just going to do it.

0 Kudos