cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1083
Views
0
Helpful
2
Replies

Airplay, VPN and ISE

Anthony Burrow
Level 1
Level 1

We're receiving reports from our Macintosh users trying to connect through the Anyconnect client not being able to create a VPN tunnel.

 

Looking at the ISE policies we are checking that the device being connected from matches our Corporate Device MAC Address register.

 

What we're finding is those users with Airplay enabled are passing through the Airplay MAC Address instead of the wired or wireless MAC address of their device.

 

Currently our 'solutions' have been.

 

1. From the Terminal disable Airplay.

2. Add the Airplay MAC Address into the register.

3. Give the users higher access and bypass these checks.

 

Not really happy with any of these options and was wondering if it's possible to force the AnyConnect Client to not pass through the Airplay MAC Address or something else that would still allow Airplay to be used but not interfere with the VPN/ISE connection.

2 Replies 2

Hi,

I don't think you can match VPN connections using MAC address in ISE as
AnyConnect device (e.g. ASA) won't forward endpoint MAC address. Any reason
why not using posturing agent.

I'll have to confirm with our Network Team as to how the system works, but that's what I've been told MAC addresses are passed across.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: