CTX118871
NetScaler,NetScaler Gateway
NetScaler Gateway_all,NetScaler_all
Security
2016-04-15
2014-05-20
This article describes how to scan the Macintosh address of an Internet user to authenticate the IP address of the User.

Objective

This article contains information about how to scan the Media Access Control (MAC) address of an Internet user to authenticate the IP address of the user.

Background

When authenticating the Media Access Control (MAC) address of an internet user against predefined combinations of MAC addresses and IP addresses, the network-based MAC address scan fails. This is because the network traffic from the internet does not contain the actual MAC address of the user. The MAC address available with the network traffic is that of a gateway or an intermediate appliance.

Therefore, to scan the MAC address from the computer of the user, registry-based scan or a Client Security scan must be performed.


Instructions

Complete the following procedure to perform a registry-based scan for the MAC address of an internet User to authenticate it against predefined combinations of MAC addresses and IP addresses:

Note: The following procedure contains a sample configuration with registry scan to search the MAC address or an equivalent entry in the registry of the computer.

  1. Search the MAC address in the registry of the computer.The exact match of the MAC address might not be easy to search. However, you can search for an equivalent entry for the MAC address. To search, run the following command on from the command prompt:
    net config rdr
    The following is the sample output of the command:

     Computer name                        \\EXAMPLE Full Computer name                   example.example.com User name                            example Workstation active on NetbiosSmb (000000000000) NetBT_Tcpip_{A38A41F5-783E-4AED-9035-A2798922CE33} (0013021208BD) NetBT_Tcpip_{A38A41F5-783E-4AED-9035-A2798922CE33} (001B770736BC) Software version                     Windows 2002 Workstation domain                   EXAMPLE Workstation Domain DNS Name          example.COM Logon domain                         EXAMPLE COM Open Timeout (sec)               0 COM Send Count (byte)                16 COM Send Timeout (msec)              250

    The command completed successfully.

    Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

  2. Run the following command from the command prompt to start the Registry Editor utility:

    regedt32

    Note: Do not use the regedit command to start the Registry Editor utility. You cannot make the appropriate search if you run the regedit command.

  3. Search the key identified in the Step 1, such as A38A41F5-783E-4AED-9035-A2798922CE33, in the registry of the computer.The search for the sample entry displays that the key exists at the following location in the registry:

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}

    The following screen shot displays the location of the key in the Registry Editor Window:

    User-added image

    In addition, the search shows that the sub key for this entry is NetCfgInstanceId. To locate the actual network interface card (NIC), ensure that you check all the options available under the entry. In the preceding screen shot, the Status Bar of the Registry Editor Window displays the complete path of the sub key.

  4. Run the following command from the command line interface of the NetScaler appliance to add the path that is identified in the preceding steps of the procedure:

     add aaa preauthenticationpolicy scan_epa q/CLIENT.REG(HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Class {4D36E972-E325-11CE-BFC1-08002BE10318}  0011_NetCfgInstanceId).VALUE == ' { A38A41F5-783E-4AED-9035-A2798922CE33}  ' && REQ.IP.SOURCEIP == 10.103.0.42/ EPA

    In this command, scan_epa is the name of the policy and EPA is the name of the action.

  5. Run the following command from the NetScaler CLI to enable pre-authentication checks:

     set aaa preauthenticationparameter -preauthenticationaction ALLOW -rule ns_true

    Note: Use this procedure to authenticate a small group of users. However, it might not be practical to add each of the large number of Secure Access (SSL VPN) users.


Disclaimer

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Applicable Products


 

Join the conversation

Citrix Discussions

Open a case

Citrix Support

特别说明


本文来源为Citrix.com所有,翻译后版权归翻译者所有.如需转载请注明出处.

文档版本


.

广告招租


最新留言


.

广告招租


.