Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2958
Views
10
Helpful
3
Replies

Dynamic Attributes - MAC Address with ISE and VPN

Go to solution
MikeAoD
Cisco Employee
Cisco Employee

‎10-18-2018 04:44 PM

Anyone was able to implement the dynamic attribute of MAC Address comparison in a VPN policy?  I already followed the document guiding this process with dot1x and it wa successful in my lab, but I want to know if there's anyway to do it with VPN since the calling-station-id for VPN is a public IP Address instead of the MAC.
I would really appreciate any feedback.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-19-2018 07:50 AM

You can use ACIDEX attributes for dynamic matching.

1. On AD, create separate AD attributes for each interfaces you want to record MAC addresses for. For instance; wired, wireless, 4G, etc. populate the attribute with MAC addresses in the following format (Make sure the attributes are indexed as it needs to be retrieved quickly during authentication):

  • To make sure any of the MAC matches then simply populate the attribute with aa-aa-aa-aa-aa-aa format. This will allow VPN connection as long as ACIDEX reports that any one interface MAC matches
  • To make sure the specific interface is used for VPN then just populate the specific interface with public-mac=aa-aa-aa-aa-aa-aa format (only need to populate specific attribute that maps to the interface you want to allow). This will allow VPN connection when the user is using the specific interface for connecting to headend

2. Modify AD external sources to pull attributes created above

3. Create AuthZ policy for VPN that reads If Cisco AV pair CONTAINS above attribute then PermitACL. If using first option above, then need to use OR option for multiple attributes.

For your reference following is sample of ACIDEX attributes sent during VPN:

mdm-tlv=device-platform=win,
mdm-tlv=device-mac=00-50-56-3d-4d-c4,
mdm-tlv=device-platform-version=10.0.17134 ,
mdm-tlv=device-public-mac=00-50-56-3d-4d-c4,
mdm-tlv=ac-user-agent=AnyConnect Windows 4.6.03049,
mdm-tlv=device-type=VMware, Inc. VMware Virtual Platform,
mdm-tlv=device-uid=9950138CE637DCCD797ED90117049A7E2D2940EB4EBA833387BA1B4EB4DB058E,
audit-session-id=c0a8c9fe0ae490005bc94241,
ip:source-ip=192.168.1.159,
coa-push=true

View solution in original post

3 Replies 3

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-19-2018 07:50 AM

You can use ACIDEX attributes for dynamic matching.

1. On AD, create separate AD attributes for each interfaces you want to record MAC addresses for. For instance; wired, wireless, 4G, etc. populate the attribute with MAC addresses in the following format (Make sure the attributes are indexed as it needs to be retrieved quickly during authentication):

  • To make sure any of the MAC matches then simply populate the attribute with aa-aa-aa-aa-aa-aa format. This will allow VPN connection as long as ACIDEX reports that any one interface MAC matches
  • To make sure the specific interface is used for VPN then just populate the specific interface with public-mac=aa-aa-aa-aa-aa-aa format (only need to populate specific attribute that maps to the interface you want to allow). This will allow VPN connection when the user is using the specific interface for connecting to headend

2. Modify AD external sources to pull attributes created above

3. Create AuthZ policy for VPN that reads If Cisco AV pair CONTAINS above attribute then PermitACL. If using first option above, then need to use OR option for multiple attributes.

For your reference following is sample of ACIDEX attributes sent during VPN:

mdm-tlv=device-platform=win,
mdm-tlv=device-mac=00-50-56-3d-4d-c4,
mdm-tlv=device-platform-version=10.0.17134 ,
mdm-tlv=device-public-mac=00-50-56-3d-4d-c4,
mdm-tlv=ac-user-agent=AnyConnect Windows 4.6.03049,
mdm-tlv=device-type=VMware, Inc. VMware Virtual Platform,
mdm-tlv=device-uid=9950138CE637DCCD797ED90117049A7E2D2940EB4EBA833387BA1B4EB4DB058E,
audit-session-id=c0a8c9fe0ae490005bc94241,
ip:source-ip=192.168.1.159,
coa-push=true

Go to solution
david.haughn
Level 1
Level 1
In response to howon

‎07-30-2019 09:03 AM

This is great info, thanks for contributing. One question though, where exactly do you change the following setting? is this on the client in the VPN profile or smtng?

 

  • To make sure the specific interface is used for VPN then just populate the specific interface with public-mac=aa-aa-aa-aa-aa-aaformat (only need to populate specific attribute that maps to the interface you want to allow). This will allow VPN connection when the user is using the specific interface for connecting to headend

 

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to david.haughn

‎07-30-2019 09:41 AM

You would need to populate an attribute in the identity store directory such as AD/LDAP/Internal. You can see more detailed explanation from the Dynamic Attribute with ISE: MAC Address Matching video

Customers Also Viewed These Support Documents