How to configure a Palo Alto device to send the public client IP to Rublon?

Modified on Tue, 06 Feb 2024 at 10:32 AM

Some applications do not send the public client IP address using the standard RADIUS attribute Calling-Station-Id. This might cause the public client IP not to show up in Authentication Logs.


One of these applications is Palo Alto, which uses a new RADIUS attribute containing the client IP address - PaloAlto-Client-Source-IP.


The PaloAlto-Client-Source-IP attribute was introduced in PAN-OS v7. So, this solution only works for SSL VPN devices from Palo Alto Networks that run on PAN-OS version 7.0.1 or higher.


How to enable the public client IP for Palo Alto?

To enable the client IP attribute PaloAlto-Client-Source-IP:

  1. Access the administration shell of the PA device:

set authentication radius-vsa-on client-source-ip

  1. Edit the rublonauthproxy/config/config.json file and change CLIENT_IP_ATTR to paloalto.

  2. Restart the Rublon Authentication Proxy service for the changes to take effect.


Palo Alto should now send the public client IP address properly. Rublon will display it in Authentication Logs.


Helpful Links

Why does the public client IP not show up in Authentication Logs?

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article