Version Affected: All
When using a SecureAuth IdP RADIUS server integration with Palo Alto Networks GlobalProtect Gateway clients or Portal access, RADIUS server authentication logs may show the endpoint IP as the IP address of the VPN server.
GlobalProtect does not send the client IP address using the standard RADIUS attribute Calling-Station-Id. However, Palo Alto Networks PAN-OS v7 includes a new RADIUS attribute (PaloAlto-Client-Source-IP) that contains the client IP address. This attribute can be enabled via the Palo Alto Networks administration shell to send the client IP to the SecureAuth IdP RADIUS server.
1. Connect to the Palo Alto Networks administration shell
2. Enable the PaloAlto-Client-Source-IP client IP attribute to be sent to the SecureAuth IdP RADIUS server by entering
set authentication radius-vsa-on client-source-ip
3. On the RADIUS server go to the RADIUS Clients tab and change the RADIUS End User IP field so it says PaloAlto-Client-Source-IP then save.
Note that UserHostAddress in the realm audit logs will still show as the IP address of the RADIUS Server (127.0.0.1 if installed on the same machine as IdP) not the end user IP, this is expected behaviour.
However Adaptive Authentication will see the correct end user address:
The RADIUS server logs will also report the correct end user IP address:
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.