Re: Mobile device from Anyconnect to ISE not sending MAC address

Josh Morris · ‎07-07-2021

I am running FTD 6.7 to ISE 3.0 SAML authentication plus authorize-only to ISE. Most things are working as expected. Windows and Mac laptops present mac address as endpoint ID to ISE, but mobile devices present only their public IP address. Because of this, I do not see these devices in CV, nor am I able to do much profiling. How can I get the client MAC address through Anyconnect to ISE?

Damien Miller · ‎07-07-2021

This is a problem with the permissions we have on the end device and I just went through this with iPhones. We ended up being able to push a custom AnyConnect profile from Workspace One that includes the device UDID. This in turn allowed us to match the compliance state on the MDM for a pseudo posture of MDM compliant = yes or no.

Still no MAC address though, so as you called out, the device does not get inserted in to the CV database and you have to rely on active attributes provided during the authentication to classify.

Josh Morris · ‎07-07-2021

Thanks as usual @Damien Miller . We are using JAMF and quickly tried the same with no luck. Any chance you'd be willing to anonymize and share your MDM profile?

Damien Miller · ‎07-07-2021

I don't have access to workspace one or I would. This was the KB that helped.
https://kb.vmware.com/s/article/2960762?lang=en_US

Cisco's tech note outlines the issue, but doesn't provide the fix.
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215064-mdm-configuration-of-device-identifier-f.html

So maybe a combination of the two links above and the Jamf payload variables might help, such as %udid%
https://docs.jamf.com/jamf-school/deploy-guide-docs/Payload_Variables.html