The reply for C458715E I got was:
"...Regarding the MAC location, the MAC location is:
The value will be taken from: "fixed_om_mac_address"="0000"
Please let me know if any further clarification is required..."
"...Configuring the Registry this is our only option. Regarding IOS, according to sk61866 ;
Note: In OS X, this feature is not supported..."
They won't let us look into their cards 😞
So I still use the good well reverse engineered "Calculate per user name" -> Take the <username>, make MD5 hash and the first 12 chars is the MAC used for DHCP requests.
Once we have same users with diferent devices we chosed the following workaround:
Remote-Access-Client (LDAP and RSA-SecurID) Users are written in lowercase
Capsule VPN Users are authenticated with Certificate and we only enroll UPPERCASE Usernames in Certs.
So I got 2 different MAC for same User and DHCP can provide different fixed IPs
So only thing we have to monitor: No Normal VPN User should ever write uppercase Username, we do this with simple rule:
- SRC: <Range of Capsule IPs>
- DST: <Software deployment Server>
- Action: Reject
- Log: Log+Alert(Mail)
No Capsule Client is connecting to Software deployment Server to the Port, so if some Capsule IP is connecting this must be a Normal Client and we got an alarm.
Same way vise versa we do for Remote-Access-Client-Range
Hope this will help someone for a workaround, as CP is not really willing to help.