[SUGGESTION} - Provide public IP of user client when using RADIUS to authenticate SSL VPN users.
ABB_oceansls
Newbie ✭
in SSL VPN
We ran into an issue recently after moving from a Cisco firewall to SonicWall. We use a Duo proxy server so VPN users get MFA prompts when connecting. Previously, when they log in it would log the public IP of the user. This was helpful to monitor a user's location and pull reports proving a user hasn't been compromise or lying about where they are.
Sonicwall does not pass along the public IP of the user client in the login request. So, we lost that functionality which led to an unhappy client. After workign with support, they confirmed that SonicWall doe snot pass this information along.
It would be helpful to have the option to enable that funcitonality.
Category: SSL VPN
Tagged:
0
Answers
The client IP and username is logged within the Sonicwall device/user/status (on a firewall), I suspect what you are looking for is a RADIUS response which contains the client IP
That's correct Mark, the previous Cisco firewall passed the public IP information to the RADIUS server along with the username and password. SonicWall firewalls only pass the username and password. I am suggesting that SonicWall engineers provide the option to pass that info along, as it might be useful for certain scenarios.
@abb_oceansls I totally support this, because without the originating IP the authentication server (radius) isn't able to do additional checks like Geo-Velocity, granular fail2ban etc.
But I wouldn't hold my breath that will ever see the day of light.
—Michael@BWC
That's a shame. The support agent I worked with, who was very diligent and helpful, advised me to post here because he said SonicWall does pay attention to these posts.
🤣 that was a good one, I assume the Support Agent meant well, but reality differs a bit (to a lot), at least in my opinion as a frequent flyer.
—Michael@BWC
@ABB_oceansls if it's mandatory that your Radius Servers can see the Clients IP address, you might look into the SMA 500v as alternative to the built-in SSL VPN functionality. It comes with Wireguard as well, which is a big plus.
The SMA gives you the option "Use Client IP For Radius Server Logging" which populates the NAS-IP-Address Radius Attribute with the IP address of the originating endpoint.
I know that the end is in sight for the SMA, but it's still a viable and affordable solution. SASE/ZTNA is probably all what SNWL has focus on.
—Michael@BWC
Thanks Michael, I'll keep this in mind and let my team know.