Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3266
Views
0
Helpful
5
Replies

LDAP proxy shows 'Location Unknown 0.0.0.0' in both logs and push notifications

Go to solution
Cervero
Level 1
Level 1

‎04-30-2020 06:15 AM

Is there any way to get the Duo Proxy service to pass either the IP address of the LDAP client or some sort of friendly name to the application endpoint? We have a number of services passing through the proxy and there’s currently no way to discern which server or service the the request is coming from without processing the proxy service logs themselves. When a user receives a push the notification shows the source as ‘Location Unknown 0.0.0.0’

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to Cervero

‎05-05-2020 01:00 PM

I encourage you to contact your account executive, customer success manager, or Duo support (if you don’t have an AE or CSM) to submit a feature request for sending the authenticating source IP to Duo’s service during an LDAP authentication request.

Duo, not DUO.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎05-05-2020 10:53 AM

No, there isn’t a way to show the client address via the LDAP proxy today. The LDAP specification does not include passing a client IP attribute.

Is RADIUS an option for you? We will show the client IP for a RADIUS request in the authentication request and logs when it’s passed in as the calling-station-id attribute from the authenticating client.

Duo, not DUO.
0 Helpful

Go to solution
Cervero
Level 1
Level 1
In response to DuoKristina

‎05-05-2020 12:21 PM

That makes sense but the source IP does appear in the authproxy.log file which means the auth proxy service is at least aware of the source regardless of the LDAP RFC:

2020-05-05T10:14:07-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x03AE9EB0>
2020-05-05T10:14:07-0400 [_ADServiceClientProtocol (TLSMemoryBIOProtocol),client] [Request from **<LDAP client IP>**:65446] Exempt OU: <ldap search account>
2020-05-05T10:14:07-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x039DBEB0>
2020-05-05T10:14:07-0400 [_ADServiceClientProtocol (TLSMemoryBIOProtocol),client] http POST to https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth
2020-05-05T10:14:07-0400 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Starting factory <_■■■■■■■■■■■■■■■■■■■■: https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth>
2020-05-05T10:14:07-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x039DBEB0>
2020-05-05T10:14:07-0400 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x037D77D0>
2020-05-05T10:14:07-0400 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x037D77D0>
2020-05-05T10:14:07-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from **<LDAP client IP>**:65446] Got preauth result for <username>: u'auth'
2020-05-05T10:14:07-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] http POST to https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/auth
2020-05-05T10:14:07-0400 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Starting factory <_■■■■■■■■■■■■■■■■■■■■: https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/auth>
2020-05-05T10:14:07-0400 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Stopping factory <_■■■■■■■■■■■■■■■■■■■■: https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth>
2020-05-05T10:14:17-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from **<LDAP client IP>**:65446] Duo authentication returned 'allow' for <username>: 'Success. Logging you in...'
2020-05-05T10:14:17-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] u'[Request from **<LDAP client IP>**:65446] Success. Logging you in...'
2020-05-05T10:14:17-0400 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Stopping factory <_■■■■■■■■■■■■■■■■■■■■: https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/auth>

I recognize that it might not be as simple as the logs make it look but it at least appears the process should be conducive to posting that client IP to the endpoint during the auth phase.

RADIUS isn’t an option. For now we’re handling it by log enrichment using the authproxy.log. Might be worth reconsidering at some point in the future.

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to Cervero

‎05-05-2020 12:34 PM

Isn’t the source IP you see the IP address of the LDAP application that is communicating with the authentication proxy, and not the IP address of the client application that is contacting your LDAP application which in turn contacts the Duo proxy server?

end-user client system 1.2.3.4 connects to > application at 1.2.3.5 which connects to > duo proxy server 1.2.3.6 over LDAP which connects to > Duo cloud service

If your end-user clients connect directly to the Duo authentication proxy, that’s not what we see as a typical customer use-case deployment.

I believe most customers who comment on the 0.0.0.0 ip reporting are interested in the IP address of the end-user client for use with location and network based authentication policies, and don’t want to create policy around the IP of the application server (which is probably static).

Duo, not DUO.
0 Helpful

Go to solution
Cervero
Level 1
Level 1
In response to DuoKristina

‎05-05-2020 12:49 PM

Isn’t the source IP you see the IP address of the LDAP application that is communicating with the authentication proxy

It is the address of the LDAP application and that’s actually what we are looking for. We have a significant number of LDAP client applications and what we need is a quick way to see which application a user was authenticating from in the Duo web UI and logs. That’s what we’re doing with our log enrichment.

We may be out of the norm but it seems like having the application address would be preferable to null or 0.0.0.0. Perhaps the ability to enable passing the application IP in the config would be the best approach.

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to Cervero

‎05-05-2020 01:00 PM

I encourage you to contact your account executive, customer success manager, or Duo support (if you don’t have an AE or CSM) to submit a feature request for sending the authenticating source IP to Duo’s service during an LDAP authentication request.

Duo, not DUO.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents