Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restrict Cisco VPN by MAC Address


As the subject suggests, I'm wondering if there's a way to restrict VPN access to an ASA based on MAC address of the client.

Basicaly, we want to only allow remote users connect with their work laptop and not from their home PC's for instance.

Thanks in advance,


Cisco Employee

Re: Restrict Cisco VPN by MAC Address

You can do this if you are using SSLVPN with CSD/hostscan.  Hostscan will report the mac address (and other information) that you can then use with dynamic access policies as an endpoint attribute to either permit or deny access.

As far as I know, you can't do this with IPSEC (the vpn client isn't reporting the mac-address to the ASA).

Here's a link to the DAP deployment guide:

New Member

Re: Restrict Cisco VPN by MAC Address

Another option is switch from PSK to certs, and when creating the certs, embed the MAC address or another such identifier there.  Or keep a map of certs to MAC addresses.  This isn't perfect if somehow a user manages to reinstall the cert on a different machine, but that's beyond what most users know and they will stick to whatever scripts you use to issue the cert.

New Member

Hello , I'm facing the same

Hello , I'm facing the same problem did you tried out the solution as discussed below, using hostscan plugin?

New Member

We never had a pressing need

We never had a pressing need to do this.

If we are talking about Windows clients, and nowadays, we are using EAP over IKEv2 (with PEAP if you care) then one option I could think of is this:  there is support for "statement of health" packets in some RADIUS servers these days.  This communicates information about the host to the RADIUS server.  I do not know if this can include a MAC address or other identifier useful for this purpose, or much about it actually, but for a host to send these packets, something must be turned on on the host side.  It is part of Microsoft NAP.

CreatePlease login to create content