Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1223
Views
0
Helpful
7
Replies

Can check mac address before IPSEC VPN connection ?

Go to solution
jewfcb001
Level 4
Level 4

‎03-25-2022 01:29 AM

Hi All,

 

I would like to verify mac address of client before IPSEC VPN (IKEV1). I use 3rdpart vpn client to terminate connection . 

My scenario I have ISE for take AAA Process . I'm not sure Can I implement this scenario or not ? 

 

Thank you.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-25-2022 01:35 AM

@jewfcb001 ISE can only learn the client MAC address if using AnyConnect which includes the client MAC address in the received ACIDEX attributes. You could then potentially (not tried it myself) then match on this attribute in an authorisation rule.

https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

 

As you are using a 3rd party VPN client I don't think you can do anything with the MAC address.

 

Why do you want to do this? If it's because you want to determine a corporate owned asset, you can use ASA DAP to confirm if the computer is joined to the domain, or ISE posture to do the same. Alternatively deploy a certificate that can only be issued by an internal CA.

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎03-25-2022 01:35 AM

@jewfcb001 ISE can only learn the client MAC address if using AnyConnect which includes the client MAC address in the received ACIDEX attributes. You could then potentially (not tried it myself) then match on this attribute in an authorisation rule.

https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

 

As you are using a 3rd party VPN client I don't think you can do anything with the MAC address.

 

Why do you want to do this? If it's because you want to determine a corporate owned asset, you can use ASA DAP to confirm if the computer is joined to the domain, or ISE posture to do the same. Alternatively deploy a certificate that can only be issued by an internal CA.

 

0 Helpful

Go to solution
jewfcb001
Level 4
Level 4
In response to Rob Ingram

‎03-25-2022 01:42 AM

@Rob Ingram 

Thank you for information . I understand of your point but the customer not purchase the anyconnect license. 

It's mean I cannot do anything about mac address of client if I use 3rdparty client vpn . My understand correct?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jewfcb001

‎03-25-2022 01:47 AM

@jewfcb001 the MAC address is not going to be transmitted over the internet. If using AnyConnect you can determine this information....I doubt whatever 3rd party VPN client is used has the information and that ISE can use this to determine whether the connection should be permitted or not. So no I do not believe it will work.

 

0 Helpful

Go to solution
jewfcb001
Level 4
Level 4
In response to Rob Ingram

‎03-25-2022 01:51 AM

@Rob Ingram 

Thank you for information . I accept you I believe this solution working with the anyconnect client only.

0 Helpful

Go to solution
jewfcb001
Level 4
Level 4
In response to jewfcb001

‎03-25-2022 02:33 AM

@Rob Ingram 

I try to test on my lab . 3rdparty vpn client not send to mac address but AnyConnect can send to mac address to ise

3rdparty client

test1.png

Cisco AnyConnect Client 

test2.png

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jewfcb001

‎03-25-2022 02:45 AM

@jewfcb001 yes, those "mdm-tlv" values are the ACIDex attributes sent when using AnyConnect.

 

So if you want to limit incoming devices to known devices, you could use one of the previous suggestions instead of MAC address.

0 Helpful

Go to solution
jewfcb001
Level 4
Level 4
In response to Rob Ingram

‎03-25-2022 06:13 AM

@Rob Ingram 

About limit incoming device you mean classify endpoint group or not?

0 Helpful
Customers Also Viewed These Support Documents