Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Is it possible to using MAC address filter in anyconnect vpn ?

Dear all,

Currently, I have configured SSL VPN by using anyconnect client, and integrate with AD by using ACS Radius. Due to the Security policy, my boss also required to use MAC address filter to limit the endpoint, just like the wireless using 802.1X and MAC address filter for authentication. So, is it possible to using ACS to store endpoint MAC address and for MAC address filter in SSL VPN deployment ?

Best Regards,

 

6 REPLIES
VIP Purple

You can match on the MAC

You can match on the MAC-address of the client, but I'm not sure if that really works in a scalable way. How could it work:

  1. You enable Hostscan which will report the MAC-Adress.
  2. In a dynamic access policy (DAP) you write a condition that matches on the MAC-address and compares the address to a field from your LDAP. I don't think that you can achieve that through RADIUS.

Another way to match on the MAC is through a Lua-script:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.html#anc18

But also here you need to extend this to compare the presented MAC against a central directory.

 

Perhaps it's easier (and even more secure) to use a different second factor then the MAC-address (which could be spoofed). What about tokens or certificates?


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Dear Karsten Iwen,Thank you

Dear Karsten Iwen,

Thank you for your reply!

Actually, I have been using AD and certificate for two factor authentication. But company need more Security, which is limit the endpoint through the MAC address filter. So I seek a way if the ASA will send the MAC-address to ACS for comparison, something like MAC address bypass in ISE.

 

But from your reply, it seem the ASA will not send the MAC address to the ACS or any other authentication server for comparison.

 

Anyway, thanks for your reply, and i will test the method you mentioned.

 

Best Regards,

 

VIP Purple

> Actually, I have been using

Actually, I have been using AD and certificate for two factor authentication. But company need more Security, which is limit the endpoint through the MAC address filter.

You want to change from something that is hard to spoof (certificates) to something that is easy to spoof (MAC-address) to improve security? Not sure if this is a good idea ...


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

No, I means still using

No, I means still using Certificates and AD, but add MAC-address filter for additional security.

New Member

Hello, I'm facing the same

Hello, I'm facing the same problem were you able to get MAC address with hostscan plugin enabled on cisco any connect?

New Member

No, seem the anyconnect

No, seem the anyconnect wouldn't sent the MAC address to a RADIUS server.

1661
Views
0
Helpful
6
Replies
CreatePlease to create content