Restrict Cisco VPN by MAC Address

Unanswered Question
Sep 2nd, 2010

Hi,

As the subject suggests, I'm wondering if there's a way to restrict VPN access to an ASA based on MAC address of the client.

Basicaly, we want to only allow remote users connect with their work laptop and not from their home PC's for instance.

Thanks in advance,

Neil

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jason Gervia Fri, 09/03/2010 - 11:20

You can do this if you are using SSLVPN with CSD/hostscan.  Hostscan will report the mac address (and other information) that you can then use with dynamic access policies as an endpoint attribute to either permit or deny access.


As far as I know, you can't do this with IPSEC (the vpn client isn't reporting the mac-address to the ASA).

Here's a link to the DAP deployment guide:

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

b.julin Fri, 09/03/2010 - 13:48

Another option is switch from PSK to certs, and when creating the certs, embed the MAC address or another such identifier there.  Or keep a map of certs to MAC addresses.  This isn't perfect if somehow a user manages to reinstall the cert on a different machine, but that's beyond what most users know and they will stick to whatever scripts you use to issue the cert.

asadaliz123 Fri, 12/23/2016 - 09:19

Hello , I'm facing the same problem did you tried out the solution as discussed below, using hostscan plugin?

b.julin Fri, 12/23/2016 - 09:37

We never had a pressing need to do this.

If we are talking about Windows clients, and nowadays, we are using EAP over IKEv2 (with PEAP if you care) then one option I could think of is this:  there is support for "statement of health" packets in some RADIUS servers these days.  This communicates information about the host to the RADIUS server.  I do not know if this can include a MAC address or other identifier useful for this purpose, or much about it actually, but for a host to send these packets, something must be turned on on the host side.  It is part of Microsoft NAP.

Actions

This Discussion