Epa Software For Mac Rating: 4,3/5 2587 votes

Applicable Products

NetScaler Gateway

SCREEN View is a user friendly interface for the U.S. EPA screening model, SCREEN3. The SCREEN3 model can be used to estimate worst-case ground level concentrations for a single source as well as concentrations in the cavity zone, and concentrations due to inversion break-up and shoreline fumigation.

Objective

This article contains information about how to configure NetScaler Gateway EPA to scan the Media Access Control (MAC) address to authenticate the IP address of the user.

Background

When authenticating the (MAC address of an internet user against predefined combinations of MAC addresses and IP addresses, the network-based MAC address scan fails. This is because the network traffic from the internet does not contain the actual MAC address of the user. The MAC address available with the network traffic is that of a gateway or an intermediate appliance.

Therefore, to scan the MAC address from the computer of the user, registry-based scan or a Client Security scan must be performed.

Instructions

Registry Based Method

Complete the following procedure to perform a registry-based scan for the MAC address of an internet user to authenticate them against predefined combinations of MAC addresses and IP addresses:
Note: The following procedure contains a sample configuration with registry scan to search the MAC address or an equivalent entry in the registry of the computer.

Search the MAC address in the registry of the computer.The exact match of the MAC address might not be easy to search. However, you can search for an equivalent entry for the MAC address. To search, run the following command on from the command prompt:
net config rdr
The following is the sample output of the command:
The command completed successfully.
Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.
Run the following command from the command prompt to start the Registry Editor utility:
regedt32
Note: Do not use the regedit command to start the Registry Editor utility. You cannot make the appropriate search if you run the regedit command.
Search the key identified in the Step 1, such as A38A41F5-783E-4AED-9035-A2798922CE33, in the registry of the computer.The search for the sample entry displays that the key exists at the following location in the registry:
The following screen shot displays the location of the key in the Registry Editor Window:
In addition, the search shows that the sub key for this entry is NetCfgInstanceId. To locate the actual network interface card (NIC), ensure that you check all the options available under the entry. In the preceding screen shot, the Status Bar of the Registry Editor Window displays the complete path of the sub key.
Run the following command from the command line interface of the NetScaler appliance to add the path that is identified in the preceding steps of the procedure:
add aaa preauthenticationpolicy scan_epa q/CLIENT.REG(HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlClass
{4D36E972-E325-11CE-BFC1-08002BE10318}
0011_NetCfgInstanceId).VALUE '
{ A38A41F5-783E-4AED-9035-A2798922CE33}
' && REQ.IP.SOURCEIP 10.103.0.42/ EPA
In this command, scan_epa is the name of the policy and EPA is the name of the action.
Run the following command from the NetScaler CLI to enable pre-authentication checks:
set aaa preauthenticationparameter -preauthenticationaction ALLOW -rule ns_true
Note: Use this procedure to authenticate a small group of users. However, it might not be practical to add each of the large number of Secure Access (SSL VPN) users.

Non-Registry Based Method

The following is the preauthentication policy for MAC address and domain check:
Pl2303 usb-serial drivers for mac. EPA MAC Check CLIENT.SYSTEM('MAC_ADDR_anyof_XXXXXXXXXXXX[COMMENT: MAC Address]') EXISTS – no colons or spaces or dashes in the MAC address.

To enable preauthentication policy for MAC address, run the following command from CLI:
add aaa preauthenticationpolicy <policy name> 'CLIENT.SYSTEM('MAC_ADDR_anyof_<MAC address>[COMMENT: MAC Address]') EXISTS' <Action Name>

Additional Resources

MAC's MAC addres filter in EPA will be as below

CLIENT.SYSTEM(MAC-MAC_ADDR_anyof_<MAC-addr>[COMMENT: MAC Address]) EXISTS

where as for Windows it appears as

MAC_ADDR_anyof_<MAC-addr>[COMMENT: MAC Address]

Disclaimer

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Applicable Products

NetScaler

Symptoms or Error

EPA policy expression created on OPSWAT editor does not work on MAC OS 10.13 after upgrading from 10.12
Example:
CLIENT.APPLICATION('ANTIVIR_0_RTP__TRUE[COMMENT: Generic Antivirus Product Scan]') EXISTS' <Action Name>
CLIENT.APPLICATION('FIREWALL_0_ENABLED__TRUE[COMMENT: Generic Firewall Product Scan]') EXISTS' <Action Name>

Solution

Mac OS 10.13 does not support EPA policies created using OPSWAT currently.
Citrix is currently working on OPSWAT for MAC 10.13 and the feature will be released in Q2 2018.
However, classic EPA policies can be created to check local firewall only on MAC OS 10.13 as a workaround
Example :
(REQ.HTTP.HEADER User-Agent CONTAINS “abc” CLIENT.OS(MacOS).VERSION 10.xx)
NOTE:
MAC OS 10.13 is supported with EPA plugins versions 3.4.1 and 3.9.9 which are distributed with NetScaler 11.1.57.11 and 12.0.57.19 respectively.

Problem Cause

Additional Resources

For additional information and supported EPA scans and software please refer to https://support.citrix.com/article/CTX207623
Links to EPA plugins that support MAC OS 10.13:
https://www.citrix.com/downloads/netscaler-gateway/plug-ins/netscaler-gateway-plug-in-clients-v111-5711.html
https://www.citrix.com/downloads/netscaler-gateway/plug-ins/netscaler-gateway-plug-in-399-for-mac.html