Controlling Anyconnect VPN clients based on the client's mac address

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi this is a quick demo of controlling asa any kind of vpn access using the client's mac address now you may be asking why even do that well i know it's an uncommon request but there are a few customers out there who have a reason to to filter based on mac addresses so uh here's a just a quick demo here now the asa and ftd vpn itself can't quite control the client strictly use matching based on the client's mac address so the the solution to handle this is to use asa or ftd and ice together as a combination here and ice as a radio server really helps tremendously here so if you take a look at my configuration here i have a vpn policy called a username so let's go and show you my vpn connection profile as a username and my triple a method authentication is aaa and i'm pointing it to my ice server or ice group as the authentication group or method and then down below is i have a client ip address configured i have a group policy just a typical group policy associated with it dns etc and then the group url a connection is a urbdmz 1120asa.cisc username that's the connection url that my client will use to connect to this group okay so let's go ahead and take a look at right now i have a user uh on the linux machine that's not connected so it's not here i hit refresh it's not there so let me go and show you let's go to my linux machine and this is an ubuntu linux machine it could be linux it could be mac it could be windows it doesn't really matter it all works so let me show you a connection here so i'm connecting to username i'm going to hit connect my username is ned and then the authentication password okay now i connect it to any connects successfully go back to the asa hit refresh and you can see here there you go net has been connected and it's a linux 64 ubuntu 20.0 machine and the acl that it got pushed down from ice is uh ip asa vpn dash allow all that's the open policy for vpn all right great now let's go back to let's take a look at ice and if we take a look at my ice server this is ice 3.0 this is the new gui you can see here that ned just authenticated and it's got a contractor vpn underscore allow all authorization profile okay and that's the default there all right okay um the mac address of the client now it's uh it ends with cfdb okay so let's go ahead and add this mac address to the mab list the mac authentication bypass i'm going to go to my ice and go to the identities group and within my identity group and endpoint identity group i have a group that i created called vpnmab list and if i go to the mepnmap list my linux machine is currently not in there so let's go back in there and hit add and let me add in the mac address it has seen on the network for example here we go a7 cfdb let me go and add that entry into that map list and you can see here it's a linux machine because it saw it earlier on the network or you can just simply manually add this mac address in there if you want doesn't really matter how you do it okay so that's been added now let's go back to my policy my policy sets with an ice and i go into my default policy and i created an authorization policy and within this authorization policy is called local local exception rule number one actually let me change it right now let's call it uh off vpn mab only okay so that's the name here name of my rule and then i'm matching the user identity based on this list vpn map list and then the user ned has to be part of active directory contractor group membership so these two conditions must match for this new authorization profile to be assigned it's called vpn allow mac address register list so that's my new profile can i hit save this before to go into effect and now let me go ahead and kick the user off of vpn or i'll just log off here same thing disconnect okay let me reconnect again here as ned and i'm reconnected now to vpn and let's go take a look at the asa hit refresh okay ned has connected again let's go look at details and still linux machine and you can see here now there's a different acl that got pushed down to the asa it's called asa vpn underscore map so it's a different acl and if i take a look at ice and look at the live logs and you can see here i went from contractor vpn allow earlier to with the new policy that i enforced now ned has landed in a new profile called vpn allow dash mac address register list and then the rule that we match is the auth vpn map only rule okay so it works very well works very easily with ice as part of the equation here working together with asa or ftd all right hopefully you enjoy this demo
Info
Channel: Ciscolive Security Fan
Views: 578
Rating: undefined out of 5
Keywords: Anyconnect VPN control by mac address
Id: R1NEkJ38rmA
Channel Id: undefined
Length: 6min 17sec (377 seconds)
Published: Mon Nov 23 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.