09-01-2014 09:03 AM - edited 02-21-2020 07:48 PM
Dear all,
Currently, I have configured SSL VPN by using anyconnect client, and integrate with AD by using ACS Radius. Due to the Security policy, my boss also required to use MAC address filter to limit the endpoint, just like the wireless using 802.1X and MAC address filter for authentication. So, is it possible to using ACS to store endpoint MAC address and for MAC address filter in SSL VPN deployment ?
Best Regards,
09-01-2014 09:59 AM
You can match on the MAC-address of the client, but I'm not sure if that really works in a scalable way. How could it work:
Another way to match on the MAC is through a Lua-script:
But also here you need to extend this to compare the presented MAC against a central directory.
Perhaps it's easier (and even more secure) to use a different second factor then the MAC-address (which could be spoofed). What about tokens or certificates?
09-15-2014 12:35 AM
Dear Karsten Iwen,
Thank you for your reply!
Actually, I have been using AD and certificate for two factor authentication. But company need more Security, which is limit the endpoint through the MAC address filter. So I seek a way if the ASA will send the MAC-address to ACS for comparison, something like MAC address bypass in ISE.
But from your reply, it seem the ASA will not send the MAC address to the ACS or any other authentication server for comparison.
Anyway, thanks for your reply, and i will test the method you mentioned.
Best Regards,
09-15-2014 12:56 AM
> Actually, I have been using AD and certificate for two factor authentication. But company need more Security, which is limit the endpoint through the MAC address filter.
You want to change from something that is hard to spoof (certificates) to something that is easy to spoof (MAC-address) to improve security? Not sure if this is a good idea ...
09-15-2014 01:27 AM
No, I means still using Certificates and AD, but add MAC-address filter for additional security.
12-23-2016 09:16 AM
Hello, I'm facing the same problem were you able to get MAC address with hostscan plugin enabled on cisco any connect?
12-25-2016 06:21 PM
No, seem the anyconnect wouldn't sent the MAC address to a RADIUS server.
04-14-2021 05:14 PM
I want to filter some MAC Address through AnyConnect VPN with the following elements ISE ASA AnyConnect.
Let me know if we can do it?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: