cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6106
Views
0
Helpful
7
Replies

Is it possible to using MAC address filter in anyconnect vpn ?

Jing Hong Li
Level 1
Level 1

Dear all,

Currently, I have configured SSL VPN by using anyconnect client, and integrate with AD by using ACS Radius. Due to the Security policy, my boss also required to use MAC address filter to limit the endpoint, just like the wireless using 802.1X and MAC address filter for authentication. So, is it possible to using ACS to store endpoint MAC address and for MAC address filter in SSL VPN deployment ?

Best Regards,

 

7 Replies 7

You can match on the MAC-address of the client, but I'm not sure if that really works in a scalable way. How could it work:

  1. You enable Hostscan which will report the MAC-Adress.
  2. In a dynamic access policy (DAP) you write a condition that matches on the MAC-address and compares the address to a field from your LDAP. I don't think that you can achieve that through RADIUS.

Another way to match on the MAC is through a Lua-script:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.html#anc18

But also here you need to extend this to compare the presented MAC against a central directory.

 

Perhaps it's easier (and even more secure) to use a different second factor then the MAC-address (which could be spoofed). What about tokens or certificates?

Dear Karsten Iwen,

Thank you for your reply!

Actually, I have been using AD and certificate for two factor authentication. But company need more Security, which is limit the endpoint through the MAC address filter. So I seek a way if the ASA will send the MAC-address to ACS for comparison, something like MAC address bypass in ISE.

 

But from your reply, it seem the ASA will not send the MAC address to the ACS or any other authentication server for comparison.

 

Anyway, thanks for your reply, and i will test the method you mentioned.

 

Best Regards,

 

Actually, I have been using AD and certificate for two factor authentication. But company need more Security, which is limit the endpoint through the MAC address filter.

You want to change from something that is hard to spoof (certificates) to something that is easy to spoof (MAC-address) to improve security? Not sure if this is a good idea ...

No, I means still using Certificates and AD, but add MAC-address filter for additional security.

Hello, I'm facing the same problem were you able to get MAC address with hostscan plugin enabled on cisco any connect?

No, seem the anyconnect wouldn't sent the MAC address to a RADIUS server.

rchockeelopez
Level 1
Level 1

I want to filter some MAC Address  through AnyConnect VPN with the following elements ISE ASA AnyConnect.

 

Let me know if we can do it?