03-25-2022 01:29 AM
Hi All,
I would like to verify mac address of client before IPSEC VPN (IKEV1). I use 3rdpart vpn client to terminate connection .
My scenario I have ISE for take AAA Process . I'm not sure Can I implement this scenario or not ?
Thank you.
Solved! Go to Solution.
03-25-2022 01:35 AM
@jewfcb001 ISE can only learn the client MAC address if using AnyConnect which includes the client MAC address in the received ACIDEX attributes. You could then potentially (not tried it myself) then match on this attribute in an authorisation rule.
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
As you are using a 3rd party VPN client I don't think you can do anything with the MAC address.
Why do you want to do this? If it's because you want to determine a corporate owned asset, you can use ASA DAP to confirm if the computer is joined to the domain, or ISE posture to do the same. Alternatively deploy a certificate that can only be issued by an internal CA.
03-25-2022 01:35 AM
@jewfcb001 ISE can only learn the client MAC address if using AnyConnect which includes the client MAC address in the received ACIDEX attributes. You could then potentially (not tried it myself) then match on this attribute in an authorisation rule.
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
As you are using a 3rd party VPN client I don't think you can do anything with the MAC address.
Why do you want to do this? If it's because you want to determine a corporate owned asset, you can use ASA DAP to confirm if the computer is joined to the domain, or ISE posture to do the same. Alternatively deploy a certificate that can only be issued by an internal CA.
03-25-2022 01:42 AM
Thank you for information . I understand of your point but the customer not purchase the anyconnect license.
It's mean I cannot do anything about mac address of client if I use 3rdparty client vpn . My understand correct?
03-25-2022 01:47 AM
@jewfcb001 the MAC address is not going to be transmitted over the internet. If using AnyConnect you can determine this information....I doubt whatever 3rd party VPN client is used has the information and that ISE can use this to determine whether the connection should be permitted or not. So no I do not believe it will work.
03-25-2022 01:51 AM
Thank you for information . I accept you I believe this solution working with the anyconnect client only.
03-25-2022 02:33 AM
I try to test on my lab . 3rdparty vpn client not send to mac address but AnyConnect can send to mac address to ise
3rdparty client
Cisco AnyConnect Client
03-25-2022 02:45 AM
@jewfcb001 yes, those "mdm-tlv" values are the ACIDex attributes sent when using AnyConnect.
So if you want to limit incoming devices to known devices, you could use one of the previous suggestions instead of MAC address.
03-25-2022 06:13 AM
About limit incoming device you mean classify endpoint group or not?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide