Client IP reporting

When required you can configure Okta to enforce, restrict, or provide different levels of access depending on the IP address, network zone or geolocation of users accessing your RADIUS-enabled system.

After completing the following procedure to enable client-ip resolution, you can define network zones by location or IP address and use them in sign-on policies to provide access, enforce MFA, or block access. For more information, see IP Zones.

To configure Network Zones in your Okta tenant:

  1. To set up a zone:
    1. In the Admin Console, go to SecurityNetworks. Choose Add Zone > IP Zone.
    2. Provide a name.
    3. In the Gateway IPs field, specify the IP ranges with which your users will authenticate to your RADIUS-enabled systems (their client IPs).
    4. In the Proxy IPs field, specify the public-facing IP address of the RADIUS Agent server that will proxy each RADIUS request.

      Note: To use geolocation capability, create a network zone that only specifies proxy IPs.

    5. For more details on setting up IP zones, see Network.
  2. Find the application you would like to enable this feature for from the Applications page in the Okta Dashboard. Select the app to open up the app configuration page.
  3. Navigate to the Single-Sign On page and locate the Advanced RADIUS Settings section towards the bottom of the page. Click Edit.
  4. Select Report Client IP.
  5. Choose the RADIUS attribute that your RADIUS-enabled system uses to pass the client-IP address.
    • This can vary from vendor to vendor so if you are unsure of which attribute to choose, try to identify this information from your vendors technical instructions or contact their technical team for help.
    • The most common attribute used for this information is 31 Calling Station ID so that may be a good place to start if you are unsure.
    • You may also use the table below that references the attributes used by a few common vendors for help.

      Typical RADIUS Attributes Used for Client IP Common Vendors
      Cisco31 Calling Station ID
      Juniper31 Calling Station ID
      Citrix Netscaler31 Calling Station ID
      F531 Calling Station ID
      Palo Alto Networks26 Vendor Specific: “PAN Vendor ID”
  6. In the Sign On Policy section at the bottom of the page, click Add Rule and create policies that allow, block, or require MFA based off of the network zones you created in step 1.