Cisco Community
English
Register
Congratulate December's Spotlight Awardees. CLICK HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
705
Views
0
Helpful
2
Replies
Highlighted
Anthony Burrow
Beginner
Beginner
‎10-03-2017 06:18 PM
‎10-03-2017 06:18 PM

Airplay, VPN and ISE

We're receiving reports from our Macintosh users trying to connect through the Anyconnect client not being able to create a VPN tunnel.

 

Looking at the ISE policies we are checking that the device being connected from matches our Corporate Device MAC Address register.

 

What we're finding is those users with Airplay enabled are passing through the Airplay MAC Address instead of the wired or wireless MAC address of their device.

 

Currently our 'solutions' have been.

 

1. From the Terminal disable Airplay.

2. Add the Airplay MAC Address into the register.

3. Give the users higher access and bypass these checks.

 

Not really happy with any of these options and was wondering if it's possible to force the AnyConnect Client to not pass through the Airplay MAC Address or something else that would still allow Airplay to be used but not interfere with the VPN/ISE connection.

Labels:
0 Helpful
Reply
2 REPLIES 2
Highlighted
Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
‎10-03-2017 09:21 PM
‎10-03-2017 09:21 PM

Hi,

I don't think you can match VPN connections using MAC address in ISE as
AnyConnect device (e.g. ASA) won't forward endpoint MAC address. Any reason
why not using posturing agent.
0 Helpful
Reply
Highlighted
Anthony Burrow
Beginner
Beginner
In response to Mohammed al Baqari
‎10-12-2017 12:54 AM
‎10-12-2017 12:54 AM

I'll have to confirm with our Network Team as to how the system works, but that's what I've been told MAC addresses are passed across.

0 Helpful
Reply
Latest Contents
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 01-15-2021 06:09 AM
1
40
1
40
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
Serious problem with Object Groups + Access Policies in FMC
Created by mhmservice on 01-15-2021 04:31 AM
0
0
0
0
Hi allI've been having a major problem with Object Groups in FMC access policiesIf I have a pre-existing line in a policy with an Object Group which contains a list of IPs, if I add an additional IP to that object group, then deploy, the traffic is still ... view more
No cts dot1x command in interface configuration mode
Created by tanzhy on 01-14-2021 01:49 AM
3
0
3
0
Anyone know why there are no cts dot1x command in interface configure mode?I  just find cts manual and cts role-based command      Hardware is  C9300-48PSoftware is   Cisco IOS XE Software, Version 16.12.04License i... view more
Unable to access Firepower Management Center via web browser
Created by Thomas321 on 01-13-2021 04:16 PM
0
5
0
5
Hi all, I have ASA 5506W and everything work great without any issue by access from ASDM or SSH, however I am unable to access FMC via web browser then getting following error message "Onbox NGFW is managed by ASDM. Please use your ASDM Client or dow... view more
Cognitive Release Note, December 2020: CWS end-of-life and n...
Created by aligarci on 01-13-2021 09:34 AM
0
0
0
0
User Experience Enhancements As part of the Cisco Common User Experience program, we are working towards a more uniform user experience and terminology alignment. This program runs across all Cisco security products.   Cognitive Intelligence en... view more
Content for Community-Ad