Client IP reporting
When required you can configure Okta to enforce, restrict, or provide different levels of access depending on the IP address, network zone or geolocation of users accessing your RADIUS-enabled system.
After completing the following procedure to enable client IP resolution, you can define network zones by location or IP address. You can then use them in sign-on policies to provide access, enforce MFA, or block access. For more information, see IP Zones.
To configure network zones in your Okta tenant:
- To set up a zone:
- In the Admin Console, go to . Choose .
- Provide a name.
- In the Gateway IPs field, specify the IP ranges with which your users authenticate to your RADIUS-enabled systems (their client IPs).
In the Proxy IPs field, specify the public-facing IP address of the RADIUS Agent server that proxies each RADIUS request.
To use geolocation capability, create a network zone that only specifies proxy IPs.
- For more details on setting up IP zones, see Network.
- Find the application that you would like to enable this feature for on the Applications page in the Admin Console. Select the app to open the configuration page.
- Go to the Single-Sign On tab.
- In the Advanced RADIUS Settings section, click Edit.
- Select Report Client IP.
- Choose the RADIUS attribute that your RADIUS-enabled system uses to pass the client IP address.
- This can vary from vendor to vendor. If you're unsure of which attribute to choose, try to identify this information from your vendors technical instructions or contact their technical team for help.
- The most common attribute used for this information is 31 Calling Station ID . This may be a good place to start if you're unsure.
You may also use the following table, which references the attributes used by a few common vendors.
Typical RADIUS Attributes Used for Client IP Common Vendors Cisco 31 Calling Station ID Juniper 31 Calling Station ID Citrix Netscaler 31 Calling Station ID F5 31 Calling Station ID Palo Alto Networks 26 Vendor Specific: “PAN Vendor ID”
- In the Sign On Policy section at the bottom of the page, click Add Rule.
- Create policies that allow, block, or require MFA based off of the network zones that you create in step 1.