MAC-ADDRESS FILTERING ON REMOTE VPN

fmugambi — Wed, 01 Nov 2023 13:22:51 GMT

Hello Team,

Is it possible to filter VPN remote access with mac-addresses as a second layer factor security in addition to username/password on FMC?

If yes, any ideas to approach this?

Thanks.

Re: MAC-ADDRESS FILTERING ON REMOTE VPN

Marvin Rhoads — Wed, 01 Nov 2023 14:58:38 GMT

Not easily. MAC address is a layer 2 artifact and the connection comes in only with layer 3/4 information (protocol, source and destination IP address and port).

The only way we can see MAC address is via something like AnyConnect ID Extensions (ACIDEX) which are exposed when using an add-on security service like Cisco Identity Services Engine (ISE). It can technically be done within an ASA or FTD config (the latter when using FMC and DAP) but I have never seen it done in my experience dealing with literally hundred of customer VPNs.

Reference: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118944-technote-anyconnect-00.html

If you want to add a second factor to your security, use a Multi-Factor Authentication (MFA) service like Cisco Duo.

Or you could change from username/password to certificates as your authentication method. This requires a PKI though; which can be daunting to setup if you don't have one already. It's not that hard, just not something most network or security admins have experience doing.

topic MAC-ADDRESS FILTERING ON REMOTE VPN in Network Security

MAC-ADDRESS FILTERING ON REMOTE VPN

Re: MAC-ADDRESS FILTERING ON REMOTE VPN