Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2207
Views
0
Helpful
3
Replies

Static IP for Meraki client VPN

dbrown
Level 1
Level 1

‎11-11-2022 08:15 AM

We have a working Duo Authentication Proxy acting as a RADIUS server for Meraki VPN, which passes authentication to Active Directory. This works, we have MFA, and everything is good. Now we want to add the ability to set a static IP for specific AD users. I’ve done this with Microsoft NPS, relying on the msRADIUSFramedIPAddress attribute, but is there configuration option in the Duo Authentication Proxy to either retrieve that attribute for the AD user being authenticated and pass it back, or instead of authenticating via ad_client perhaps switch to radius_client and authenticate with Microsoft NPS to achieve the end result?

Labels:
0 Helpful
3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

‎11-14-2022 09:51 AM

Yes, you could switch to [radius_client] and point that to NPS, and set one of the RADIUS attribute pass_through_.. optional config settings described in here.

Duo, not DUO.
0 Helpful

dbrown
Level 1
Level 1
In response to DuoKristina

‎11-14-2022 01:53 PM

I did switch to [radius_client] and added pass_through_all=true. In my Microsoft NPS log I can see the IP is being sent back to Duo:

REDACTED-DC”,“IAS”,11/11/2022,19:05:34,1,“dbrown”,“V1CORP\dbrown”,“CLIENTVPN”,“REDACTED-IP”,1,0,“10.27.1.3”,“Duo-proxy”,1,2,1,“AnyConnect-MX”,0,“311 1 REDACTED-IP 11/11/2022 23:55:43 6”,“IPSec-MX-Duo”,1,
REDACTED-DC”,“IAS”,11/11/2022,19:05:34,2,“V1CORP\dbrown”,“10.27.11.50”,0,“REDACTED-IP”,“Duo-proxy”,1,2,1,“AnyConnect-MX”,0,“311 1 REDACTED-IP 11/11/2022 23:55:43 6”,“IPSec-MX-Duo”,1,

The 10.27.11.50 is the static IP I set in the NPS Network Policy as a test. If I configure Meraki to use my NPS server as the RADIUS server, I can connect and that IP is assigned to the client. If I put the Duo proxy in between, NPS seems to send that IP back to Duo, but Duo does not seem to relay it to my client. I also see this in the Duo authproxy.log:

2022-11-11T19:05:34.641903-0500 [duoauthproxy.lib.log#info] Invalid single ip: CLIENTVPN.
2022-11-11T19:05:34.641903-0500 [duoauthproxy.lib.log#info] User IP not provided. Authorized Networks policies will not work for this authentication.

I don’t know if that log is relevant to the issue at hand, but it stood out.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to dbrown

‎11-29-2022 08:26 AM

Hmm, that excerpt from authproxy.log makes it sound like it’s receiving CLIENTVPN as the IP value instead of the actual IP.

If you were to run a packet capture at the Duo proxy (like with Wireshark) and decrypt the contents of the RADIUS packet sent from NPS to the Duo Authentication Proxy, what is in the packet? Some attribute has the actual value of CLIENTVPN?

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents