09-02-2010 06:38 AM
Hi,
As the subject suggests, I'm wondering if there's a way to restrict VPN access to an ASA based on MAC address of the client.
Basicaly, we want to only allow remote users connect with their work laptop and not from their home PC's for instance.
Thanks in advance,
Neil
09-03-2010 11:20 AM
You can do this if you are using SSLVPN with CSD/hostscan. Hostscan will report the mac address (and other information) that you can then use with dynamic access policies as an endpoint attribute to either permit or deny access.
As far as I know, you can't do this with IPSEC (the vpn client isn't reporting the mac-address to the ASA).
Here's a link to the DAP deployment guide:
http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml
09-03-2010 01:48 PM
Another option is switch from PSK to certs, and when creating the certs, embed the MAC address or another such identifier there. Or keep a map of certs to MAC addresses. This isn't perfect if somehow a user manages to reinstall the cert on a different machine, but that's beyond what most users know and they will stick to whatever scripts you use to issue the cert.
12-23-2016 09:19 AM
Hello , I'm facing the same problem did you tried out the solution as discussed below, using hostscan plugin?
12-23-2016 09:37 AM
We never had a pressing need to do this.
If we are talking about Windows clients, and nowadays, we are using EAP over IKEv2 (with PEAP if you care) then one option I could think of is this: there is support for "statement of health" packets in some RADIUS servers these days. This communicates information about the host to the RADIUS server. I do not know if this can include a MAC address or other identifier useful for this purpose, or much about it actually, but for a host to send these packets, something must be turned on on the host side. It is part of Microsoft NAP.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: