MAC-ADDRESS FILTERING ON REMOTE VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-01-2023 06:22 AM
Hello Team,
Is it possible to filter VPN remote access with mac-addresses as a second layer factor security in addition to username/password on FMC?
If yes, any ideas to approach this?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-01-2023 07:55 AM - edited 11-01-2023 07:58 AM
Not easily. MAC address is a layer 2 artifact and the connection comes in only with layer 3/4 information (protocol, source and destination IP address and port).
The only way we can see MAC address is via something like AnyConnect ID Extensions (ACIDEX) which are exposed when using an add-on security service like Cisco Identity Services Engine (ISE). It can technically be done within an ASA or FTD config (the latter when using FMC and DAP) but I have never seen it done in my experience dealing with literally hundred of customer VPNs.
If you want to add a second factor to your security, use a Multi-Factor Authentication (MFA) service like Cisco Duo.
Or you could change from username/password to certificates as your authentication method. This requires a PKI though; which can be daunting to setup if you don't have one already. It's not that hard, just not something most network or security admins have experience doing.
