LDAP proxy shows 'Location Unknown 0.0.0.0' in both logs and push notifications

Is there any way to get the Duo Proxy service to pass either the IP address of the LDAP client or some sort of friendly name to the application endpoint? We have a number of services passing through the proxy and there’s currently no way to discern which server or service the the request is coming from without processing the proxy service logs themselves. When a user receives a push the notification shows the source as ‘Location Unknown 0.0.0.0’

No, there isn’t a way to show the client address via the LDAP proxy today. The LDAP specification does not include passing a client IP attribute.

Is RADIUS an option for you? We will show the client IP for a RADIUS request in the authentication request and logs when it’s passed in as the calling-station-id attribute from the authenticating client.

That makes sense but the source IP does appear in the authproxy.log file which means the auth proxy service is at least aware of the source regardless of the LDAP RFC:

2020-05-05T10:14:07-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x03AE9EB0>
2020-05-05T10:14:07-0400 [_ADServiceClientProtocol (TLSMemoryBIOProtocol),client] [Request from **<LDAP client IP>**:65446] Exempt OU: <ldap search account>
2020-05-05T10:14:07-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x039DBEB0>
2020-05-05T10:14:07-0400 [_ADServiceClientProtocol (TLSMemoryBIOProtocol),client] http POST to https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth
2020-05-05T10:14:07-0400 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Starting factory <_■■■■■■■■■■■■■■■■■■■■: https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth>
2020-05-05T10:14:07-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x039DBEB0>
2020-05-05T10:14:07-0400 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x037D77D0>
2020-05-05T10:14:07-0400 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x037D77D0>
2020-05-05T10:14:07-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from **<LDAP client IP>**:65446] Got preauth result for <username>: u'auth'
2020-05-05T10:14:07-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] http POST to https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/auth
2020-05-05T10:14:07-0400 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Starting factory <_■■■■■■■■■■■■■■■■■■■■: https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/auth>
2020-05-05T10:14:07-0400 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Stopping factory <_■■■■■■■■■■■■■■■■■■■■: https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth>
2020-05-05T10:14:17-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from **<LDAP client IP>**:65446] Duo authentication returned 'allow' for <username>: 'Success. Logging you in...'
2020-05-05T10:14:17-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] u'[Request from **<LDAP client IP>**:65446] Success. Logging you in...'
2020-05-05T10:14:17-0400 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Stopping factory <_■■■■■■■■■■■■■■■■■■■■: https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/auth>

I recognize that it might not be as simple as the logs make it look but it at least appears the process should be conducive to posting that client IP to the endpoint during the auth phase.

RADIUS isn’t an option. For now we’re handling it by log enrichment using the authproxy.log. Might be worth reconsidering at some point in the future.

Isn’t the source IP you see the IP address of the LDAP application that is communicating with the authentication proxy, and not the IP address of the client application that is contacting your LDAP application which in turn contacts the Duo proxy server?

end-user client system 1.2.3.4 connects to > application at 1.2.3.5 which connects to > duo proxy server 1.2.3.6 over LDAP which connects to > Duo cloud service

If your end-user clients connect directly to the Duo authentication proxy, that’s not what we see as a typical customer use-case deployment.

I believe most customers who comment on the 0.0.0.0 ip reporting are interested in the IP address of the end-user client for use with location and network based authentication policies, and don’t want to create policy around the IP of the application server (which is probably static).

Isn’t the source IP you see the IP address of the LDAP application that is communicating with the authentication proxy

It is the address of the LDAP application and that’s actually what we are looking for. We have a significant number of LDAP client applications and what we need is a quick way to see which application a user was authenticating from in the Duo web UI and logs. That’s what we’re doing with our log enrichment.

We may be out of the norm but it seems like having the application address would be preferable to null or 0.0.0.0. Perhaps the ability to enable passing the application IP in the config would be the best approach.

I encourage you to contact your account executive, customer success manager, or Duo support (if you don’t have an AE or CSM) to submit a feature request for sending the authenticating source IP to Duo’s service during an LDAP authentication request.