When looking through the authentication logs for the Windows Agent in the management console, finding that 90% of the time there is no IP associated with the Windows Agent events. Looking at my laptop logs, I see a random mix of when it shows an IP or just shows 0.0.0.0. Since the agent is actually running on the computer making the request, shouldn’t it be able to always pass up the IP of the machine it is on? Is there something that is not configured on our part to ensure that an IP is reported? The hostname is always reported.
Have you seen this article? Why does Duo Authentication for Windows Logon report the client IP address as 0.0.0.0 for local console logins?
Thank you Kristina, that is what I was looking for. Of course that doesn’t make any sense to me. Events logged should have an IP address so we can see where it is coming from. If using Authorized Network policies is a hole with the agent, fine, but at least still log the event with the IP address. If the user gets hit with a bunch of push events and fails them, we should at least know the IP that generated the auth req.
Please contact your Duo Account Executive or Customer Success Manager (if you have one) or Duo Support (if you don’t) to support a feature request to report the client IP address during local Windows logins while preventing use of the self-reported client IP in the Authorized Networks policy.