Client IP reporting

When required you can configure Okta to enforce, restrict, or provide different levels of access depending on the IP address, network zone or geolocation of users accessing your RADIUS-enabled system.

After completing the following procedure to enable client IP resolution, you can define network zones by location or IP address. You can then use them in sign-on policies to provide access, enforce MFA, or block access. For more information, see IP Zones.

To configure network zones in your Okta tenant:

  1. To set up a zone:
    1. In the Admin Console, go to SecurityNetworks. Choose Add ZoneIP Zone.
    2. Provide a name.
    3. In the Gateway IPs field, specify the IP ranges with which your users authenticate to your RADIUS-enabled systems (their client IPs).
    4. In the Proxy IPs field, specify the public-facing IP address of the RADIUS Agent server that proxies each RADIUS request.

      To use geolocation capability, create a network zone that only specifies proxy IPs.

    5. For more details on setting up IP zones, see Network.
  2. Find the application that you would like to enable this feature for on the Applications page in the Admin Console. Select the app to open the configuration page.
  3. Go to the Single-Sign On tab.
  4. In the Advanced RADIUS Settings section, click Edit.
  5. Select Report Client IP.
  6. Choose the RADIUS attribute that your RADIUS-enabled system uses to pass the client IP address.
    • This can vary from vendor to vendor. If you're unsure of which attribute to choose, try to identify this information from your vendors technical instructions or contact their technical team for help.
    • The most common attribute used for this information is 31 Calling Station ID . This may be a good place to start if you're unsure.
    • You may also use the following table, which references the attributes used by a few common vendors.

      Typical RADIUS Attributes Used for Client IP Common Vendors
      Cisco31 Calling Station ID
      Juniper31 Calling Station ID
      Citrix Netscaler31 Calling Station ID
      F531 Calling Station ID
      Palo Alto Networks26 Vendor Specific: “PAN Vendor ID”
  7. In the Sign On Policy section at the bottom of the page, click Add Rule.
  8. Create policies that allow, block, or require MFA based off of the network zones that you create in step 1.