Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1000
Views
1
Helpful
1
Replies

MAC-ADDRESS FILTERING ON REMOTE VPN

fmugambi
VIP
VIP

‎11-01-2023 06:22 AM

Hello Team,

Is it possible to filter VPN remote access with mac-addresses as a second layer factor security in addition to username/password on FMC?

If yes, any ideas to approach this?

Thanks.

0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-01-2023 07:55 AM - edited ‎11-01-2023 07:58 AM

Not easily. MAC address is a layer 2 artifact and the connection comes in only with layer 3/4 information (protocol, source and destination IP address and port).

The only way we can see MAC address is via something like AnyConnect ID Extensions (ACIDEX) which are exposed when using an add-on security service like Cisco Identity Services Engine (ISE). It can technically be done within an ASA or FTD config (the latter when using FMC and DAP) but I have never seen it done in my experience dealing with literally hundred of customer VPNs.

Reference: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118944-technote-anyconnect-00.html

If you want to add a second factor to your security, use a Multi-Factor Authentication (MFA) service like Cisco Duo.

Or you could change from username/password to certificates as your authentication method. This requires a PKI though; which can be daunting to setup if you don't have one already. It's not that hard, just not something most network or security admins have experience doing.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card