Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
5
Helpful
2
Replies

Restrict a user from Using Anyconnect on personal machines

Go to solution
Hamed Karimi
Level 1
Level 1

‎03-28-2020 08:29 PM

Hi

I need to restrict the anyconnect user to use the company laptop not a personal device to connect with VPN to the network. 
Is there any way to restrict it via ASA or anyconnect settings?

kind of checking mac address or etc

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ngkin2010
Level 7
Level 7

‎03-28-2020 09:24 PM

Hi,

You may use hostscan and Dynamic Access Policy to check the MAC address.

Ref: https://community.cisco.com/t5/vpn/is-there-a-way-to-filter-mac-address-on-vpn-cisco-anyconnect/td-p/3042193

Alternatively, you may consider to enable client certification authentication for users. You first install certificate on the company's computer by either manually or GPO. User require to use that certificate (on your company notebook) for authentication.

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ngkin2010

‎03-29-2020 03:52 AM

Note that Hostscan/DAP requires AnyConnect Apex licensing. Also that option is currently restricted to ASA headends. If you use Firepower Threat Defense it's not an option.

In addition to the certificate option, we could also use Cisco ISE on the backend. That works with either ASA or FTD headends.

View solution in original post

2 Replies 2

Go to solution
ngkin2010
Level 7
Level 7

‎03-28-2020 09:24 PM

Hi,

You may use hostscan and Dynamic Access Policy to check the MAC address.

Ref: https://community.cisco.com/t5/vpn/is-there-a-way-to-filter-mac-address-on-vpn-cisco-anyconnect/td-p/3042193

Alternatively, you may consider to enable client certification authentication for users. You first install certificate on the company's computer by either manually or GPO. User require to use that certificate (on your company notebook) for authentication.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ngkin2010

‎03-29-2020 03:52 AM

Note that Hostscan/DAP requires AnyConnect Apex licensing. Also that option is currently restricted to ASA headends. If you use Firepower Threat Defense it's not an option.

In addition to the certificate option, we could also use Cisco ISE on the backend. That works with either ASA or FTD headends.

Customers Also Viewed These Support Documents