Under macOS version 10.15.3, the extensions used by Citrix Netscaler Gateway could be allowed in the Security settings under System Preferences, as suggested in this serverfault answer. However, macOS 10.15.4 does not offer such a possibility, making the latest version of Netscaler Gateway not work. This can be seen in the log files. Sep 03, 2018.
Applicable Products
Objective
This article contains information about how to configure NetScaler Gateway EPA to scan the Media Access Control (MAC) address to authenticate the IP address of the user.
Background
When authenticating the (MAC address of an internet user against predefined combinations of MAC addresses and IP addresses, the network-based MAC address scan fails. This is because the network traffic from the internet does not contain the actual MAC address of the user. The MAC address available with the network traffic is that of a gateway or an intermediate appliance.
Therefore, to scan the MAC address from the computer of the user, registry-based scan or a Client Security scan must be performed.
InstructionsRegistry Based Method
Complete the following procedure to perform a registry-based scan for the MAC address of an internet user to authenticate them against predefined combinations of MAC addresses and IP addresses:
Note: The following procedure contains a sample configuration with registry scan to search the MAC address or an equivalent entry in the registry of the computer.
Non-Registry Based Method
The following is the preauthentication policy for MAC address and domain check:
EPA MAC Check CLIENT.SYSTEM('MAC_ADDR_anyof_XXXXXXXXXXXX[COMMENT: MAC Address]') EXISTS – no colons or spaces or dashes in the MAC address.
To enable preauthentication policy for MAC address, run the following command from CLI:
add aaa preauthenticationpolicy <policy name> 'CLIENT.SYSTEM('MAC_ADDR_anyof_<MAC address>[COMMENT: MAC Address]') EXISTS' <Action Name> Additional Resources
MAC's MAC addres filter in EPA will be as below
CLIENT.SYSTEM(MAC-MAC_ADDR_anyof_<MAC-addr>[COMMENT: MAC Address]) EXISTS
![]()
where as for Windows it appears as
MAC_ADDR_anyof_<MAC-addr>[COMMENT: MAC Address]
Disclaimer
Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
Applicable Products
Symptoms or Error
EPA policy expression created on OPSWAT editor does not work on MAC OS 10.13 after upgrading from 10.12
Example: CLIENT.APPLICATION('ANTIVIR_0_RTP__TRUE[COMMENT: Generic Antivirus Product Scan]') EXISTS' <Action Name> CLIENT.APPLICATION('FIREWALL_0_ENABLED__TRUE[COMMENT: Generic Firewall Product Scan]') EXISTS' <Action Name> SolutionNetscaler Gateway Download Windows 10
Mac OS 10.13 does not support EPA policies created using OPSWAT currently.
Citrix is currently working on OPSWAT for MAC 10.13 and the feature will be released in Q2 2018. However, classic EPA policies can be created to check local firewall only on MAC OS 10.13 as a workaround Example : (REQ.HTTP.HEADER User-Agent CONTAINS “abc” || CLIENT.OS(MacOS).VERSION 10.xx) NOTE: MAC OS 10.13 is supported with EPA plugins versions 3.4.1 and 3.9.9 which are distributed with NetScaler 11.1.57.11 and 12.0.57.19 respectively. Problem CauseNetscaler With Unified Gateway DownloadAdditional ResourcesNetscaler Gateway Citrix Windows 10
For additional information and supported EPA scans and software please refer to https://support.citrix.com/article/CTX207623
Links to EPA plugins that support MAC OS 10.13: https://www.citrix.com/downloads/netscaler-gateway/plug-ins/netscaler-gateway-plug-in-clients-v111-5711.html https://www.citrix.com/downloads/netscaler-gateway/plug-ins/netscaler-gateway-plug-in-399-for-mac.html Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |