cancel
Showing results for 
Search instead for 
Did you mean: 

Pulse Secure to communicate client IP to RADIUS server

Jokos
Occasional Contributor

Pulse Secure to communicate client IP to RADIUS server

Hello guys. 
I have an issue with one of our Pulse Secure GW that our customer is using for VPN connections.

They want from us to send from Pulse Secure GW the information when some of thier client will connect to the Pulse Secure GW via desktop app , to send the Client IP  to the RADIUS server that is handling the authenticaiton for their clients.   

 

But I am unable to find where to enable this.   

I tried to add variable  in Auth.Servers tab -> Radius server -> Settings and in bottom half there is : 
RADIUS accounting where I put the variables: 

<USER><SOURCEIP>

 

But looks like it is not the right place to do this.  Do you know of some tips how to make it work please ? 

Thank you in  advance.

Tags (1)
5 REPLIES 5
zanyterp
Moderator

Re: Pulse Secure to communicate client IP to RADIUS server

are you trying to send the physical source ip address or the ip address that the pcs sees as the connection?
Jokos
Occasional Contributor

Re: Pulse Secure to communicate client IP to RADIUS server

Hello 

As far as I know customer wants to see what IP Address the PCS see as the connection. 

They want to have some log from which IP Address their people were connecting as far as I understand. 

zanyterp
Moderator

Re: Pulse Secure to communicate client IP to RADIUS server

thank you for the update. i do not believe that can be sent in the radius request/update. do they have access to the admin console to pull that info?
yutsi
Occasional Contributor

Re: Pulse Secure to communicate client IP to RADIUS server

hello,

you aready setup an radius server with the regarding settings for authentication/authorisation/radius shared secret? - good.

 

go to your specific realm and put this server in for accounting.

the standard settings for authorisation should work.

 

the clientip should be delivered in the field 'framed-ip-adress'.

 

if you are still struggle and need to debug:

do a tcpdump on the internal interface of pcs and do an dialin.

as you setup the authentication-server, you also should know the radius-shared-secret.

wireshark can decrypt your connection to your radius server with this radius-shared-secret.

now you should see in clear, what will be sent.

 

also check this in the auth-server:
[v]Use VPN Tunnel assigned IP Address for FRAMED-IP-ADDRESS/FRAMED-IPV6-ADDRESS attribute value in RADIUS Accounting

 

hope this helps.

Jokos
Occasional Contributor

Re: Pulse Secure to communicate client IP to RADIUS server

Hello,

So to bring a bit of light. I must say I am not very experienced with Pulse Secure , in my current job I am working for the first time with Pulse Secure.

 

Anyway the RADIUS under Auht.Servers tab is configured :

RADIUS settings 1 

RADIUS settings 2 

 

As you can see from the first image yes all is set.  

From the second image I am not sure as you are suggesting to check the Use VPN Tunnel Assinged IP address for FRAMED-IP-ADDRESS.  My customer wants to see the very first IP that the user connected from ( something like your internet IP if you connected from home work ) as far as I understand from his talks. 

And there is one more thing. I created those two custom RADIUS Rules. 

1/ The first one rule should pop some window with Check you mobile app for next step  which I am not sure it is working as I am not exactly sure which ATTRIBUTE I will receive in Access  Challenge message from RADIUS server.   

2/ Second rule is more like send this info to the RADIUS server in case Accounting will not work which looks like it is not working as I see in logs this :

	AUT23314	2022-05-11 07:41:41 - ive - [127.0.0.1] Default Network:Smiley Frustratedystem()[] - Radius Accounting: Failed to send radius accounting USER session start request for xxxUsers_2FA
Major	AUT23314	2022-05-11 07:41:41 - ive - [127.0.0.1] Default Network:Smiley Frustratedystem()[] - Radius Accounting: Failed to send radius accounting NC session start request for xxxUsers_2FA

So I asked the customer if they can create for me some readonly account on their new RADIUS server that they want to use for this 2MFA  so I can do the TCPDUMP when I will be trying to connect from my laptop via the Pulse Secure client so I can see what Access Challenge Attribute the RADIUS is sending.   And test if thet pop up window is working via that custom rule 1 or not at all.