Citrix Gateway

EPA scan for an allowed list of MAC addresses

Starting from Citrix ADC release 13.1, you can configure an EPA scan for an allowed list MAC address without having to list all the IP addresses in the expression. Instead, you can use pattern sets for this configuration.

Prior to Citrix ADC release 13.1, all the allowed list of MAC addresses had to be specified as part of an EPA expression. For example;

add authentication epaAction epa -csecexpr q/sys.client_expr("proc_0_notepad.exe") || sys.client_expr("proc_0_chrome")  || sys.client_expr("proc_0_firefox") && sys.client_expr("sys_0_MAC_ADDR_anyof_1A-C8-9C-83-BO-F7,\\ 02-50-F2-0A-77-7C[COMMENT: MAC Address]")/
<!--NeedCopy-->

To configure the EPA scan for an allowed list of MAC addresses by using the CLI

  1. Store the MAC addresses inside pattern sets.

    At the command prompt, type;

    add policy patset <name> [-comment <string>]
    <!--NeedCopy-->
    

    Example:

    add policy patset patset1
    bind policy patset patset1 1A-C8-9C-83-BO-F7
    bind policy patset patset1 02-50-F2-0A-77-7C … and so on up to 3K entries.
    add policy patset patset2
    bind policy patset patset2 1A-2B-3C-4D-5E-6A
    bind policy patset patset2 1A-2B-3C-4D-5E-6B … and so on up to 3K entries.
    <!--NeedCopy-->
    
  2. Create a corresponding policy expression for each pattern set using AAA.LOGIN.CLIENT_MAC_ADDR.equals_any()

    At the command prompt, type;

    Add policy expression <name> <value> [-comment <string>] [-clientSecurityMessage <string>]
    <!--NeedCopy-->
    

    Example:

    add policy expression exp1 AAA.LOGIN.CLIENT_MAC_ADDR.equals_any("patset1")
    add policy expression exp2 AAA.LOGIN.CLIENT_MAC_ADDR.equals_any("patset2")
    <!--NeedCopy-->
    
  3. Create EPA scans using the configured policy expressions

    At the command prompt, type;

    add authentication epaAction <name>  -csecexpr <expression>
    <!--NeedCopy-->
    

    Example:

    add authentication epaAction epa -csecexpr q/sys.client_expr("proc_0_notepad.exe") || sys.client_expr("proc_0_chrome")  || sys.client_expr("mac-addr_0_exp1") || sys.client_expr("mac-addr_0_exp2") || sys.client_expr("proc_0_firefox")/
    
    add authentication Policy epapol -rule true -action epa
    
    bind authentication vserver <name> -policy epapol -priority 10 -gotoPriorityExpression NEXT
    
    <!--NeedCopy-->
    

To configure the EPA scan for an allowed list of MAC addresses by using the GUI

  1. Configure a pattern set. For details, see Configuring a Pattern Set.

  2. Create a corresponding policy expression for each pattern set.

    When configuring the expression, in the Expression Editor, select AAA > LOGIN > CLIENT_MAC_ADDR > EQUAL_ANY(string) > Pattern Set.

    For details on configuring an advanced expression, see Configure advanced policy expressions in a policy.

  3. Create an EPA scan for the expression configured in the earlier steps. For details, see Advanced Endpoint Analysis scans.

Points to note

  • Configuring an EPA scan for an allowed list of MAC addresses is only applicable for the nFactor authentication flows.
  • The MAC addresses must be configured in the format 1A-2B-3C-4D-5E-6F.
  • The format for the EPA scan is mac-addr_0_<policy-expression-name>. In this format, mac-addr_0 is a static value and you must enter the policy expression name after mac-addr_0.
  • The EPA scans can be separated appropriately using the symbols ( ||, &&).
  • To add many MAC addresses to a pattern set, you can use the file-based pattern sets import. It is recommended to store a maximum of 3000 entries/pattern set for optimal performance.
  • If MAC addresses are present inside a file, you can create a pattern set by using file-based pattern sets import and specifying the appropriate delimiter during the import.

References

EPA scan for an allowed list of MAC addresses