10-18-2018 04:44 PM
Anyone was able to implement the dynamic attribute of MAC Address comparison in a VPN policy? I already followed the document guiding this process with dot1x and it wa successful in my lab, but I want to know if there's anyway to do it with VPN since the calling-station-id for VPN is a public IP Address instead of the MAC.
I would really appreciate any feedback.
Solved! Go to Solution.
10-19-2018 07:50 AM
You can use ACIDEX attributes for dynamic matching.
1. On AD, create separate AD attributes for each interfaces you want to record MAC addresses for. For instance; wired, wireless, 4G, etc. populate the attribute with MAC addresses in the following format (Make sure the attributes are indexed as it needs to be retrieved quickly during authentication):
2. Modify AD external sources to pull attributes created above
3. Create AuthZ policy for VPN that reads If Cisco AV pair CONTAINS above attribute then PermitACL. If using first option above, then need to use OR option for multiple attributes.
For your reference following is sample of ACIDEX attributes sent during VPN:
mdm-tlv=device-platform=win,
mdm-tlv=device-mac=00-50-56-3d-4d-c4,
mdm-tlv=device-platform-version=10.0.17134 ,
mdm-tlv=device-public-mac=00-50-56-3d-4d-c4,
mdm-tlv=ac-user-agent=AnyConnect Windows 4.6.03049,
mdm-tlv=device-type=VMware, Inc. VMware Virtual Platform,
mdm-tlv=device-uid=9950138CE637DCCD797ED90117049A7E2D2940EB4EBA833387BA1B4EB4DB058E,
audit-session-id=c0a8c9fe0ae490005bc94241,
ip:source-ip=192.168.1.159,
coa-push=true
10-19-2018 07:50 AM
You can use ACIDEX attributes for dynamic matching.
1. On AD, create separate AD attributes for each interfaces you want to record MAC addresses for. For instance; wired, wireless, 4G, etc. populate the attribute with MAC addresses in the following format (Make sure the attributes are indexed as it needs to be retrieved quickly during authentication):
2. Modify AD external sources to pull attributes created above
3. Create AuthZ policy for VPN that reads If Cisco AV pair CONTAINS above attribute then PermitACL. If using first option above, then need to use OR option for multiple attributes.
For your reference following is sample of ACIDEX attributes sent during VPN:
mdm-tlv=device-platform=win,
mdm-tlv=device-mac=00-50-56-3d-4d-c4,
mdm-tlv=device-platform-version=10.0.17134 ,
mdm-tlv=device-public-mac=00-50-56-3d-4d-c4,
mdm-tlv=ac-user-agent=AnyConnect Windows 4.6.03049,
mdm-tlv=device-type=VMware, Inc. VMware Virtual Platform,
mdm-tlv=device-uid=9950138CE637DCCD797ED90117049A7E2D2940EB4EBA833387BA1B4EB4DB058E,
audit-session-id=c0a8c9fe0ae490005bc94241,
ip:source-ip=192.168.1.159,
coa-push=true
07-30-2019 09:03 AM
This is great info, thanks for contributing. One question though, where exactly do you change the following setting? is this on the client in the VPN profile or smtng?
07-30-2019 09:41 AM
You would need to populate an attribute in the identity store directory such as AD/LDAP/Internal. You can see more detailed explanation from the Dynamic Attribute with ISE: MAC Address Matching video
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide