I’ve seen similar issues posted, but no solutions provided. Seems that primary RADIUS server (CentOS 7 with freeradius-3.0.13-10.el7_6.x86_64) always sees the NAS-IP-Address attribute as the IP of the DUO Proxy server IP, not the actual client, even with pass through configured properly:
[main] debug=true [radius_client] host=192.168.10.1 pass_through_all=true [radius_server_auto] radius_ip_1=192.168.10.0/24 radius_secret_1=freeradiussecret failmode=safe client=radius_client port=1812 pass_through_all=true delimiter=;
IP of the DUO proxy server: 192.168.10.5
IP of the server/app I’m authenticating to: 192.168.10.6
Authentication works just fine, but when I look at the Freeradius debug logs, I see this:
Thu Aug 1 15:38:30 2019 Packet-Type = Access-Request NAS-Identifier = "DUO Testing Profile" User-Name = "admin" NAS-IP-Address = 192.168.10.5 Event-Timestamp = "Aug 1 2019 15:38:30 UTC" Timestamp = 1564673910
I was expecting to see NAS-IP-Address = 192.168.0.6
Am I missing something simple?