WinGate Forums

[jah]

Can I assume users by name if I use windows 2000 DHCP server and wingate DHCP server is disabled.

[Pascal]

WinGate needs to serve the DHCP request to assume users by MAC address. If you are using assumptions by IP, you can use any DHCP Server.

[mikebos]

Pascal,

How do you assume by MAC address?

I can set a policy for an assumed computer name or IP but multiple user accounts seem to block each other.

Setting multiple polices to secure MAC adresses under everyone also blocks each other out.

Regards
Mike Bos.

[Pascal]

Wrong wording in the post - it's an assumption by computer name. If you are trying to setup policies for that, remember that the Filters and Criterion work in an AND and a OR condition. So, if you have multiple criterion under a filter, all the criterion must be true for the filter to be granted. If you have multiple filters, only one of the filters need to be granted.

So you could say:

Filter 1 -
Criterion 1 - Client MAC Address = "abc"

Filter 2 -
Criterion 2 - Client MAC Address = "xyz"

and that should work, because it effectively becomes If the Client MAC Address is "abc" or the Client MAC Address is "xyz"

[mikebos]

Hi Pascal,

Understood. So in system policies

Everybody is assumed No advanced

Mike is assumed Advanced Filter1 Criterion1 is meet MAC = abc
works mike can't use anything but NIC abc

add
Pascal is assumed Advanced Filter2 Criterion2 is meet MAC = xyz
most times nobody can use anything
sometimes mike can use xyz

Tried Everybody (else) authenticate, definetely nobody is assumed

Try it, Am I missing something?

regards
Mike Bos

[Pascal]

You're right, with that exact setup it doesn't work. Just did try it. The trick is this:

Add the Filters + Criterion for MAC address filtering to the "Everyone" user. Do not set this group to be "Assumed is allowed", but leave it at "User may be unknown". The MAC address takes care of that for you - as only connections from that MAC is allowed.

Alternatively, set it for each individual user, but don't require them to be assumed and do away with "Everyone". Users from other computers (I tried this) will not be granted access - they get a "403 You are not authorised ..." or an "Access Denied" message. The two assumed users with their correctly specified MAC addresses are allowed through, the logs and history events still point to their 'assumed as' names.

The second option is probably best, as you can then customise each user individually. The first option will give you easier configuration in general though.

I'll need to check with Adrien to see if this is the expected behaviour - but it does work when you do it this way.

[mikebos]

Hi Pascal,

I found out the hard way that there is something different between our systems. WG6pro12 W2ksp4

Removing "everyone" from policies craps out Gatekeeper with a "connection with server teminated" on startup. 3 rebuilds later I find.

If you go
System>everyone>advanced>
filter1>critereon1 username=mike AND critereon2 MAC=abc
OR
filter2>critereon3 username=pascal AND critereon4 MAC=xyz
OR etc.

It only works for 1 or 2 clients. 3 or more gets unpredictable results.

If you go
System>
Mike>Advanced>filter1>critereon1 MAC=abc
Pascal>Advanced>filter2>critereon2 MAC=xyz

Also only works for 1 or 2 clients. 3 or more again gets unpredictable results.
In the second scenario, If your users are "everyone" +Mike works but as soon as you add #3, you get the 403 not authorised.

Did you check your first 2 were still working when the third client got the 403 not authorised.

It looks like we have all the elements to make it happen but it is truely unexpected behaviour.

I really need to get this working. I now have 12 clients making a farce of our traffic monitoring.

Regards
Mike Bos.

[Pascal]

How are you authenticating the users ?

This is the registry setup I just used (5 minutes ago). If you want to, I can send you the registry file as well.

I had 3 clients, from three different computers connecting as 3 different users (bob, jim and mike). Under the Everyone group I had three different filters, each with two criterion of "User:UserName equals <name>" and "Client:MAC equals <mac>".

At all times, all three could get access. When I bring a fourth client online, he gets served a "403 You are not authorised to view this page" message. In all cases, this was done under the "System Policies - Access Rights", rather than under specific services. I had no per-service configuration in these cases.

============================================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0]
"UserName"="Everyone"
"Description"="Restricted by request"
"SpecifyUser"=dword:00000000
"SpecifyLocation"=dword:00000000
"SpecifyTime"=dword:00000000
"SpecifyBan"=dword:00000000
"SpecifyRequest"=dword:00000001
"MinimumSecurityLevel"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\BanFilter]
"Name"=""
"Description"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter]

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter0]
"Name"="Filter 1"
"Description"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter0\Criterion0]
"Name"=""
"Description"="Client MAC address equals \"00-D0-B7-B0-15-EE\""
"Type"="CRequestCriterion"
"Comparison"=dword:00000000
"DataIndex"=dword:0000001c
"VariableName"="equals"
"Not"=dword:00000000
"DataType"=dword:00000002
"dwData"=dword:00000000
"nData"=dword:00000000
"dData"=hex:00,00,00,00,00,00,00,00
"strData"="00-D0-B7-B0-15-EE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter0\Criterion1]
"Name"=""
"Description"="User: Username equals \"mike\""
"Type"="CRequestCriterion"
"Comparison"=dword:00000000
"DataIndex"=dword:00000004
"VariableName"="equals"
"Not"=dword:00000000
"DataType"=dword:00000002
"dwData"=dword:00000000
"nData"=dword:00000000
"dData"=hex:01,00,00,00,82,94,a7,bb
"strData"="mike"

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter1]
"Name"="Filter 2"
"Description"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter1\Criterion0]
"Name"=""
"Description"="Client MAC address equals \"00-10-5a-64-8e-76\""
"Type"="CRequestCriterion"
"Comparison"=dword:00000000
"DataIndex"=dword:0000001c
"VariableName"="equals"
"Not"=dword:00000000
"DataType"=dword:00000002
"dwData"=dword:00000000
"nData"=dword:0000000a
"dData"=hex:34,06,00,00,c0,d4,01,00
"strData"="00-10-5a-64-8e-76"

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter1\Criterion1]
"Name"=""
"Description"="User: Username equals \"bob\""
"Type"="CRequestCriterion"
"Comparison"=dword:00000000
"DataIndex"=dword:00000004
"VariableName"="equals"
"Not"=dword:00000000
"DataType"=dword:00000002
"dwData"=dword:00000001
"nData"=dword:ffff0001
"dData"=hex:01,00,0a,00,43,52,65,63
"strData"="bob"

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter2]
"Name"="Filter 3"
"Description"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter2\Criterion0]
"Name"=""
"Description"="Client MAC address equals \"00-50-bf-25-6a-a6\""
"Type"="CRequestCriterion"
"Comparison"=dword:00000000
"DataIndex"=dword:0000001c
"VariableName"="equals"
"Not"=dword:00000000
"DataType"=dword:00000002
"dwData"=dword:00000000
"nData"=dword:00000000
"dData"=hex:00,00,00,00,00,00,00,00
"strData"="00-50-bf-25-6a-a6"

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter2\Criterion1]
"Name"=""
"Description"="User: Username equals \"jim\""
"Type"="CRequestCriterion"
"Comparison"=dword:00000000
"DataIndex"=dword:00000004
"VariableName"="equals"
"Not"=dword:00000000
"DataType"=dword:00000002
"dwData"=dword:00000000
"nData"=dword:00000000
"dData"=hex:00,00,00,00,00,00,00,00
"strData"="jim"

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\TimeFilter]
"Name"=""
"Description"=""

[Pascal]

Change that registry to this as a sample - otherwise, because it is System Policies, if you go offline and online in GateKeeper you will be denied access. So this registry grants access to Administrator in GateKeeper. (You might want to set Remote Control Service to IGNORE system policies and have it's own custom setup)


====================================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0]
"UserName"="Everyone"
"Description"="Restricted by request"
"SpecifyUser"=dword:00000000
"SpecifyLocation"=dword:00000000
"SpecifyTime"=dword:00000000
"SpecifyBan"=dword:00000000
"SpecifyRequest"=dword:00000001
"MinimumSecurityLevel"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\BanFilter]
"Name"=""
"Description"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter]

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter0]
"Name"="Filter 1"
"Description"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter0\Criterion0]
"Name"=""
"Description"="Client MAC address equals \"00-D0-B7-B0-15-EE\""
"Type"="CRequestCriterion"
"Comparison"=dword:00000000
"DataIndex"=dword:0000001c
"VariableName"="equals"
"Not"=dword:00000000
"DataType"=dword:00000002
"dwData"=dword:00000000
"nData"=dword:00000000
"dData"=hex:00,00,00,00,00,00,00,00
"strData"="00-D0-B7-B0-15-EE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter0\Criterion1]
"Name"=""
"Description"="User: Username equals \"mike\""
"Type"="CRequestCriterion"
"Comparison"=dword:00000000
"DataIndex"=dword:00000004
"VariableName"="equals"
"Not"=dword:00000000
"DataType"=dword:00000002
"dwData"=dword:00000000
"nData"=dword:00000000
"dData"=hex:01,00,00,00,82,94,a7,bb
"strData"="mike"

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter1]
"Name"="Filter 2"
"Description"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter1\Criterion0]
"Name"=""
"Description"="Client MAC address equals \"00-10-5a-64-8e-76\""
"Type"="CRequestCriterion"
"Comparison"=dword:00000000
"DataIndex"=dword:0000001c
"VariableName"="equals"
"Not"=dword:00000000
"DataType"=dword:00000002
"dwData"=dword:00000000
"nData"=dword:0000000a
"dData"=hex:34,06,00,00,c0,d4,01,00
"strData"="00-10-5a-64-8e-76"

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter1\Criterion1]
"Name"=""
"Description"="User: Username equals \"bob\""
"Type"="CRequestCriterion"
"Comparison"=dword:00000000
"DataIndex"=dword:00000004
"VariableName"="equals"
"Not"=dword:00000000
"DataType"=dword:00000002
"dwData"=dword:00000001
"nData"=dword:ffff0001
"dData"=hex:01,00,0a,00,43,52,65,63
"strData"="bob"

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter2]
"Name"="Filter 3"
"Description"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter2\Criterion0]
"Name"=""
"Description"="User: Username equals \"administrator\""
"Type"="CRequestCriterion"
"Comparison"=dword:00000000
"DataIndex"=dword:00000004
"VariableName"="equals"
"Not"=dword:00000000
"DataType"=dword:00000002
"dwData"=dword:00000000
"nData"=dword:00000000
"dData"=hex:00,00,00,00,00,00,00,00
"strData"="administrator"

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter3]
"Name"="Filter 3"
"Description"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter3\Criterion0]
"Name"=""
"Description"="Client MAC address equals \"00-50-bf-25-6a-a6\""
"Type"="CRequestCriterion"
"Comparison"=dword:00000000
"DataIndex"=dword:0000001c
"VariableName"="equals"
"Not"=dword:00000000
"DataType"=dword:00000002
"dwData"=dword:00000000
"nData"=dword:00000000
"dData"=hex:00,00,00,00,00,00,00,00
"strData"="00-50-bf-25-6a-a6"

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\RequestFilter\Filter3\Criterion1]
"Name"=""
"Description"="User: Username equals \"jim\""
"Type"="CRequestCriterion"
"Comparison"=dword:00000000
"DataIndex"=dword:00000004
"VariableName"="equals"
"Not"=dword:00000000
"DataType"=dword:00000002
"dwData"=dword:00000000
"nData"=dword:00000000
"dData"=hex:00,00,00,00,00,00,00,00
"strData"="jim"

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\TimeFilter]
"Name"=""
"Description"=""

[mikebos]

Hi Pascal,

I keep ending up at assumed by Computer name for windows users and by IP for anything alse.

I would appreciate your sending me the registry file, I'll save mine just in case and implement yours.

I presume I can probably clip and save your posting with a .reg setting and double click it to implement, but can you email it to mikebos@studentaccom.com.au

Thanks and Regards
Mike Bos

[Pascal]

Hi Mike,

Settings are on their way to you.

[mikebos]

Hi Pascal,

That looks to be working.
The keys I've learned are.

Assumptions must be by IP, by computer name seems to not identify MAC address.

MAC addresses must be specified in Wingate in the XX-XX-XX-XX-XX-XX format. Using XXXXXXXXXXXX as MAC addresses like in the winregistry does not work, and was probably the main problem, although it did work for 1 or 2 clients.

Specifying "Administrator" as a user is critical.

Thanks for your help.
Mike Bos

[Pascal]

No problem, glad you got it working.

[mikebos]

Pascal,

This solution was working nicely until IP addresses for clients started to change.

I can't tell whether a client fixed their IP in an attempt to pirate traffic causing a cascading change of IP's or whether Wingate decided some leases expired and it was time to renumber.

I checked DHCP it's still on defaults with 60 day leases, most of my tenants are up to about 6 months.

I tried to modify our last approach to
Everyone
Filter 1
Criterion0 User:Name=mike
Criterion1 Client:Mac=abc
Criterion3 Client:IP=192.168.0.2
Filter 2
Criterion4 User:Name=bob
Criterion5 Client:Mac=def
Criterion6 Client:IP=192.168.0.3
Filter 4
Criterion6 User:Name=administrator

Which seemed to work for everyone online at the time however WG seems to have locked up I presume as the culprits have logged on and I can't log on remotely to assess the problems.

I was also thinking of adding NetBIOS names as a critereon.
Can you see any problems with these approaches.

Regards
Mike Bos

[Pascal]

It sounds as if it's possible that you have locked yourself out of GateKeeper. Can you surf if you point yourself at WinGate as a proxy ?

The basics seem correct though, but I'll have to check it in a live setup. (At home now)

[mikebos]

Hi Pascal,

I meant WG on a W2K PII400 server hangs and I can't get onto the machine using Gatekeeper remotely.

Even though dialer for the ADSL connection is set to never hang up WG chokes won't restart on a reboot and I can't get on remotely, this follows clients getting authentication errors, I suspect because of the few trying different IP's.

Back to the problem.

Assuming by IP allows client to manually set IP causing WG to assume wrong user, system correctly won't authenticate MAC User mismatch, however WG doesn't seem to release the client session.

Correct client logs on but can still not get authenticated, DHCP appears to cascade the problem to all new logons.

Somehow I need to specify MAC=IP=User at DHCP level.

Regards
Mike Bos

[Pascal]

Again, something I'll have to sit down and manually nut out in front of a WinGate installation. This sounds a tad tricky and I can see now why you want assume by MAC ...