cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8073
Views
5
Helpful
4
Replies

Restrict Cisco VPN by MAC Address

neilobrien
Level 1
Level 1

Hi,

As the subject suggests, I'm wondering if there's a way to restrict VPN access to an ASA based on MAC address of the client.

Basicaly, we want to only allow remote users connect with their work laptop and not from their home PC's for instance.

Thanks in advance,

Neil

4 Replies 4

Jason Gervia
Cisco Employee
Cisco Employee

You can do this if you are using SSLVPN with CSD/hostscan.  Hostscan will report the mac address (and other information) that you can then use with dynamic access policies as an endpoint attribute to either permit or deny access.


As far as I know, you can't do this with IPSEC (the vpn client isn't reporting the mac-address to the ASA).

Here's a link to the DAP deployment guide:

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

b.julin
Level 3
Level 3

Another option is switch from PSK to certs, and when creating the certs, embed the MAC address or another such identifier there.  Or keep a map of certs to MAC addresses.  This isn't perfect if somehow a user manages to reinstall the cert on a different machine, but that's beyond what most users know and they will stick to whatever scripts you use to issue the cert.

asadaliz123
Level 1
Level 1

Hello , I'm facing the same problem did you tried out the solution as discussed below, using hostscan plugin?

We never had a pressing need to do this.

If we are talking about Windows clients, and nowadays, we are using EAP over IKEv2 (with PEAP if you care) then one option I could think of is this:  there is support for "statement of health" packets in some RADIUS servers these days.  This communicates information about the host to the RADIUS server.  I do not know if this can include a MAC address or other identifier useful for this purpose, or much about it actually, but for a host to send these packets, something must be turned on on the host side.  It is part of Microsoft NAP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: