EPA scan for MAC addresses
Starting from Citrix ADC release 13.0-88.x, you can configure EPA scan configurations for the allowed or specific MAC addresses. Citrix ADC uses policy expressions and pattern sets to specify the list of MAC addresses.
Prior to Citrix ADC release 13.0-88.x, the list of all the allowed MAC addresses had to be specified as part of an EPA expression. If the customers had a huge list of allowed MAC addresses, it was cumbersome to add all the MAC addresses in one expression. Also, there was a limitation on the number of MAC addresses to be added in a single expression.
For example,
add authentication epaAction epa -csecexpr q/sys.client_expr("proc_0_notepad.exe") || sys.client_expr("proc_0_chrome") || sys.client_expr("proc_0_firefox") && sys.client_expr("sys_0_MAC_ADDR_anyof_1AC89C83BOF7,0250F20A777C[COMMENT: MAC Address]")/
<!--NeedCopy-->
Configure the EPA scan for MAC addresses by using the GUI
The MAC Addresses (expression) option that was previously available in the Windows scan category is now available in the Common scan category of the Citrix ADC GUI. This option enables users to configure an EPA scan for a list of allowed or specific MAC addresses.
Note:
Citrix Secure Access client 22.10.1 and later versions support this method of Citrix ADC handling the EPA scan configurations on the GUI.
-
Configure a pattern set. For details, see Configuring a Pattern Set.
-
Create a corresponding policy expression for each pattern set.
When configuring the expression, in the Expression Editor, select AAA > LOGIN > CLIENT_MAC_ADDR > EQUAL_ANY(string) > Pattern Set.
For details on configuring an advanced expression, see Configure advanced policy expressions in a policy.
-
Create an EPA scan for the expression configured in the earlier steps. For details, see Advanced Endpoint Analysis scans.
Configure the EPA scan for MAC addresses by using the CLI
-
Store the MAC addresses inside pattern sets.
At the command prompt, type;
add policy patset <name> [-comment <string>] <!--NeedCopy-->
Example:
add policy patset patset1 bind policy patset patset1 1A-C8-9C-83-BO-F7 bind policy patset patset1 02-50-F2-0A-77-7C … and so on up to 3K entries. add policy patset patset2 bind policy patset patset2 1A-2B-3C-4D-5E-6A bind policy patset patset2 1A-2B-3C-4D-5E-6B … and so on up to 3K entries. <!--NeedCopy-->
-
Create a corresponding policy expression for each pattern set using AAA.LOGIN.CLIENT_MAC_ADDR.equals_any()
At the command prompt, type;
Add policy expression <name> <value> [-comment <string>] [-clientSecurityMessage <string>] <!--NeedCopy-->
Example:
add policy expression exp1 AAA.LOGIN.CLIENT_MAC_ADDR.equals_any("patset1") add policy expression exp2 AAA.LOGIN.CLIENT_MAC_ADDR.equals_any("patset2") <!--NeedCopy-->
-
Create EPA scans using the configured policy expressions
At the command prompt, type;
add authentication epaAction <name> -csecexpr <expression> <!--NeedCopy-->
Example:
add authentication epaAction epa -csecexpr q/sys.client_expr("proc_0_notepad.exe") || sys.client_expr("proc_0_chrome") || sys.client_expr("mac-addr_0_exp1") || sys.client_expr("mac-addr_0_exp2") || sys.client_expr("proc_0_firefox")/ <!--NeedCopy-->
Configure a preauthentication policy,
add authentication Policy epapol -rule true -action epa <!--NeedCopy-->
Bind the preauthentication policy,
bind authentication vserver <name> -policy epapol -priority 10 -gotoPriorityExpression NEXT <!--NeedCopy-->
Points to note
- Configuring an EPA scan for an allowed list of MAC addresses is only applicable for the nFactor authentication flows.
- It is recommended to store not more than 3000 entries in a pattern set.
- The MAC addresses must be configured in the format 1A-2B-3C-4D-5E-6F.
- The format for the EPA scan is
mac-addr\_0\_<policy-expression-name>
. In this format,mac-addr\_0\_
is a static value and you must enter the policy expression name aftermac-addr\_0\_
. - The EPA scans can be separated appropriately using the symbols
\( \||, &&)
. - To add many MAC addresses to a pattern set, you can use the file-based pattern sets import. It is recommended to store a maximum of 3000 entries/pattern set for optimal performance.
- If MAC addresses are present inside a file, you can create a pattern set by using file-based pattern sets import and specifying the appropriate delimiter during the import.