Upload PC MAC addresses to ASA 5510

yonexrq123 · ‎12-21-2012

I was told in order to get unique mac addresses for the Anyconnect ssl vpn

I needed to

1>Upload all PC MAC addresses to the ASA

2>Create a DAP that maps the PC MAC to the access policy

3>Create an advanced assessment policy to derive the PC mac during login

Does anybody have documentation on these procedures?

Marvin Rhoads · ‎12-21-2012

In ASDM, go to Configuration, Clientless SSL VPN, Dynamic Acess Policy, Add New.

Choose your AAA method and add new endpoint attributes. Enter the MAC addresses in the list as multiple endpoint IDs of type device, attribute MAC = . After you have them all in, make the logical operation Device "match any".

You will need AnyConnect Premium and Advanced Endpoint Assessment licenses installed and activated to use this feature.

More information on DAP in general can be found in this Cisco white paper.

Int the CLI, what I just described ends up as a simple couple of commands:

dynamic-access-policy-record CiscoSupportcommunity

description "Example showing use of MAC addresses in DAP"

...which rely on the underlying dap.xml file which is modified by the above procedure. If you wanted to put it in more programmatically you could write the dap.xml file directly or script it if you're handy with that sort of thing.

For this example, the relevant dap.xml file section would include a dap.record as follows:

CiscoSupportcommunity

and

match-any

aaa.ldap.memberOf

Domain Users

EQ

caseless

match-any

match-all

endpoint.device.MAC["1234.5678.90ab"]

true

caseless

EQ

match-all

endpoint.device.MAC["2345.6789.0abc"]

true

caseless

EQ