Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5912
Views
0
Helpful
7
Replies

Is it possible to using MAC address filter in anyconnect vpn ?

Jing Hong Li
Level 1
Level 1

‎09-01-2014 09:03 AM - edited ‎02-21-2020 07:48 PM

Dear all,

Currently, I have configured SSL VPN by using anyconnect client, and integrate with AD by using ACS Radius. Due to the Security policy, my boss also required to use MAC address filter to limit the endpoint, just like the wireless using 802.1X and MAC address filter for authentication. So, is it possible to using ACS to store endpoint MAC address and for MAC address filter in SSL VPN deployment ?

Best Regards,

 

Labels:
0 Helpful
7 Replies 7

Karsten Iwen
VIP
VIP

‎09-01-2014 09:59 AM

You can match on the MAC-address of the client, but I'm not sure if that really works in a scalable way. How could it work:

  1. You enable Hostscan which will report the MAC-Adress.
  2. In a dynamic access policy (DAP) you write a condition that matches on the MAC-address and compares the address to a field from your LDAP. I don't think that you can achieve that through RADIUS.

Another way to match on the MAC is through a Lua-script:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.html#anc18

But also here you need to extend this to compare the presented MAC against a central directory.

 

Perhaps it's easier (and even more secure) to use a different second factor then the MAC-address (which could be spoofed). What about tokens or certificates?

0 Helpful

Jing Hong Li
Level 1
Level 1
In response to Karsten Iwen

‎09-15-2014 12:35 AM

Dear Karsten Iwen,

Thank you for your reply!

Actually, I have been using AD and certificate for two factor authentication. But company need more Security, which is limit the endpoint through the MAC address filter. So I seek a way if the ASA will send the MAC-address to ACS for comparison, something like MAC address bypass in ISE.

 

But from your reply, it seem the ASA will not send the MAC address to the ACS or any other authentication server for comparison.

 

Anyway, thanks for your reply, and i will test the method you mentioned.

 

Best Regards,

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to Jing Hong Li

‎09-15-2014 12:56 AM

Actually, I have been using AD and certificate for two factor authentication. But company need more Security, which is limit the endpoint through the MAC address filter.

You want to change from something that is hard to spoof (certificates) to something that is easy to spoof (MAC-address) to improve security? Not sure if this is a good idea ...

0 Helpful

Jing Hong Li
Level 1
Level 1
In response to Karsten Iwen

‎09-15-2014 01:27 AM

No, I means still using Certificates and AD, but add MAC-address filter for additional security.

0 Helpful

asadaliz123
Level 1
Level 1
In response to Karsten Iwen

‎12-23-2016 09:16 AM

Hello, I'm facing the same problem were you able to get MAC address with hostscan plugin enabled on cisco any connect?

0 Helpful

Jing Hong Li
Level 1
Level 1
In response to asadaliz123

‎12-25-2016 06:21 PM

No, seem the anyconnect wouldn't sent the MAC address to a RADIUS server.

0 Helpful

rchockeelopez
Level 1
Level 1

‎04-14-2021 05:14 PM

I want to filter some MAC Address  through AnyConnect VPN with the following elements ISE ASA AnyConnect.

 

Let me know if we can do it?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents