Why does the public client IP not show up in Authentication Logs, making Authorized Networks not work?

Modified on Mon, 04 Mar 2024 at 04:54 PM

Each client gets the IP of the RADIUS server instead of their own public client IP?

This makes the public client IP not show up in the Authentication Logs?

Which, in turn, makes Authorized Networks not work?

If this is the issue you’re facing, you’re in the right place.

What’s happening?

Rublon Authentication Proxy relies entirely on the IP received from the application or VPN.

The Rublon Authentication Proxy has no control over the data it receives. The Auth Proxy always tries to send the real public client IP address. But this is not always possible.

How does Auth Proxy obtain the public IP address?

  • client_ip_attr in the config.json file defines the name of the RADIUS attribute which contains the IP address. The Auth Proxy expects to receive an attribute with the specified name during authentication and later display it in the Authentication Logs tab of the Rublon Admin Console.

  • If the client_ip_attr is not found within the request authentication packet from the application, the Auth Proxy will use the IP address found in the UDP datagram, which is the local client IP address or the IP address of the internal RADIUS server.

  • By default, client_ip_attr is set to Calling-Station-Id. Unfortunately, applications do not always return this value correctly (or at all).

So, how do I fix this?

  • Take a look at the technical documentation of your application or contact their support. Look for information on the name of the public client IP address attribute. If you find a name different from Calling-Station-ID, simply replace the value of client_ip_attr in config.json.

  • However, the preceding is not always possible. Some applications simply do not send the public client IP address in any way or form. This may be the case for your application, too, in which case no solution exists.

Which applications can cause such an issue?

The following applications are known to not send the Calling-Station-ID attribute:

Helpful Links

How to configure a Palo Alto device to send the public client IP to Rublon?

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article