I have an issue with one of our Pulse Secure GW that our customer is using for VPN connections.
They want from us to send from Pulse Secure GW the information when some of thier client will connect to the Pulse Secure GW via desktop app , to send the Client IP to the RADIUS server that is handling the authenticaiton for their clients.
But I am unable to find where to enable this.
I tried to add variable in Auth.Servers tab -> Radius server -> Settings and in bottom half there is :
RADIUS accounting where I put the variables:
But looks like it is not the right place to do this. Do you know of some tips how to make it work please ?
Thank you in advance.
As far as I know customer wants to see what IP Address the PCS see as the connection.
They want to have some log from which IP Address their people were connecting as far as I understand.
you aready setup an radius server with the regarding settings for authentication/authorisation/radius shared secret? - good.
go to your specific realm and put this server in for accounting.
the standard settings for authorisation should work.
the clientip should be delivered in the field 'framed-ip-adress'.
if you are still struggle and need to debug:
do a tcpdump on the internal interface of pcs and do an dialin.
as you setup the authentication-server, you also should know the radius-shared-secret.
wireshark can decrypt your connection to your radius server with this radius-shared-secret.
now you should see in clear, what will be sent.
also check this in the auth-server:
[v]Use VPN Tunnel assigned IP Address for FRAMED-IP-ADDRESS/FRAMED-IPV6-ADDRESS attribute value in RADIUS Accounting
hope this helps.
So to bring a bit of light. I must say I am not very experienced with Pulse Secure , in my current job I am working for the first time with Pulse Secure.
Anyway the RADIUS under Auht.Servers tab is configured :
As you can see from the first image yes all is set.
From the second image I am not sure as you are suggesting to check the Use VPN Tunnel Assinged IP address for FRAMED-IP-ADDRESS. My customer wants to see the very first IP that the user connected from ( something like your internet IP if you connected from home work ) as far as I understand from his talks.
And there is one more thing. I created those two custom RADIUS Rules.
1/ The first one rule should pop some window with Check you mobile app for next step which I am not sure it is working as I am not exactly sure which ATTRIBUTE I will receive in Access Challenge message from RADIUS server.
2/ Second rule is more like send this info to the RADIUS server in case Accounting will not work which looks like it is not working as I see in logs this :
AUT23314 2022-05-11 07:41:41 - ive - [127.0.0.1] Default Network:ystem() - Radius Accounting: Failed to send radius accounting USER session start request for xxxUsers_2FA Major AUT23314 2022-05-11 07:41:41 - ive - [127.0.0.1] Default Network:ystem() - Radius Accounting: Failed to send radius accounting NC session start request for xxxUsers_2FA
So I asked the customer if they can create for me some readonly account on their new RADIUS server that they want to use for this 2MFA so I can do the TCPDUMP when I will be trying to connect from my laptop via the Pulse Secure client so I can see what Access Challenge Attribute the RADIUS is sending. And test if thet pop up window is working via that custom rule 1 or not at all.