Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2892
Views
0
Helpful
1
Replies

Way to restrict access to AnyConnect VPN to only company owned devices

TCMC_cisco
Level 1
Level 1

‎09-14-2011 01:26 PM - edited ‎02-21-2020 05:35 PM

Is there a way that we can restrict access to our comanies VPN by MAC address? What we want to do is only to allow users the ability to VPN in on only Company owned equipment. If this will not work what is the best way to control what devices can login?

Labels:
0 Helpful
1 Reply 1

clausonna
Level 3
Level 3

‎09-15-2011 06:06 AM

I'm don't think you can do a posture check by MAC address.  If you're using SSLVPN, and you're running Windows,  you can do a Host Scan check for the following registry key:

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain

Then set up a Pre-Login policy that goes Windows->Registry Check->Success->RegCheckOK

                                                                                                     |->Fail->RegCheckFail

At this point you've just verified that you can read that key and the value is stored for later use.  You're not making an allow/deny decision yet. 

Then in your Dynamic Access policy you do a Policy check for Location=RegCheckFail, that says "Unable to read registry".  The following DAP policy check looks for Location=RegCheckOK, and validates that the value is your AD domain. 

Alternatively, you could put a NAC box (ISE or Clean Access) 'behind/after' the VPN box, so although anyone can connect only domain machines (and/or whatever other posture checks you want to make, e.g. Antivirus status) make it through to the rest of the network.

0 Helpful
Customers Also Viewed These Support Documents