ASA5505 mac-exempt (easyvpn)

gsturcotte · ‎09-23-2008

Hi,

I use a ASA5505 as a easyvpn client to connect to a ASA5510 easyvpn server and everything is working fine. Now i want to add some security by using Individual User Authentication(IUA) on the server side with the command:

group-policy EZVPN_GROUP attributes

user-authentication enable

Again, everything is working fine, each device connected to the ASA5505(client) must authenticate via http. Now, i have a device that cannot authenticate and i want to create a mac-exempt. I try the following command on the client side (5505):

vpnclient mac-exempt 0015.0000.0000 ffff.0000.0000

But i always get the following message:

%PIX|ASA-3-109023: User form 10.26.50.20/5000 to 10.197.204.204/4100 on interface inside using udp must authenticate before using this service.

If i do a show arp, i received the following:

inside 10.26.50.20 0015.9be3.bf6c 210

Did i use the correct command (vpnclient mac-exempt) or should i use another command (i.e: aaa mac-exempt)?

Thank for any advice...

Ps: I use software version 7.2(4) on the 5505, but i also try version 8.0(4)

gsturcotte · ‎09-24-2008

Hi,

I finally found the solution. The easyvpn server must activate the device pass through for the client. The status of the device pass through on the easyvpn client can be seen with the following command:

show vpnclient

The trick to enable the device pass through on a asa5510 easyvpn server is to enable the ip-phone-bypass in the group-policy. With this policy, the mac-exempt command will work on the easyvpn client.