Solved: ISE Posture - Client MAC address

manvik · ‎12-21-2021

Can ISE only permit Remote VPN access from systems with permitted MAC address?

VPN used is anyconnect and it's authentication via ISE

Posturing like AV, OS etc are running successfully now

One more condition needs to add into posture, User MAC address (LAN or WiFi adapter MAC).

Mike.Cifelli · ‎12-22-2021

Can ISE only permit Remote VPN access from systems with permitted MAC address?

-Pending that you have a list of the permitted MACs why not add a L2 mab identity group in the rad policy as another authz condition? Have you tested that idea yet?

View solution in original post

Mike.Cifelli · ‎12-22-2021

Can ISE only permit Remote VPN access from systems with permitted MAC address?

-Pending that you have a list of the permitted MACs why not add a L2 mab identity group in the rad policy as another authz condition? Have you tested that idea yet?

Arne Bier · ‎12-22-2021

In reply to Mike's comment, see if the Access-Request contains a Calling-Station-Id. I am unsure what MAC address will be contained there - wired or wireless - or in the worst case, a randomised MAC address.

manvik · ‎12-22-2021

Thank you Guys. It worked, created MAC address list and called it in Auth policies.

Added MAC address list in - Work Centers > Network Access > Identities

Created a MAC Group in - System Identity Management > Groups and added all MAC to it

Referred the MAC group in - Policy set > Authorization policy

Condition used - IdentityGroup Name Equals "Identity Group Name"

** Be sure to set DenyAccess Profile for Default Authorization policy