identify client in WebSrv logs

67 views
Skip to first unread message

Kyle Duren

unread,
Oct 24, 2013, 7:18:15 PM10/24/13
to rcdevs-t...@googlegroups.com
Hello, I've gotten palo alto vpn working great with radius_bridge and such for 2FA. I've also been working on getting some linux machines to use OpenOTP for 2FA as well and I noticed that you can pass the "client" name to the OpenOTP server which makes for very nice log entries. However I'm not sure how to make something like that work for the various radius clients:

This is from the radius_bridge vpn system, which works fine, but lacks some useful info:

2013-10-24 22:53:42 OpenOTP OpenOTP CN=User Name,CN=Users,DC... [NA] 162A1EEB Authentication success (LDAP & TOKEN)
2013-10-24 22:53:42 OpenOTP OpenOTP CN=User Name,CN=Users,DC... [NA] 162A1EEB New openotpChallenge request (domain\user)

This is from a linux machine running the openotp modules and such, which allows you to pass whatever client "name" you want in the pam.d config file (so you can actually identify each server that they logged into, and from what IP did started the connection attempt from).

2013-10-24 22:22:28 OpenOTP testserver-SSH CN=User Name,CN=Users,DC... 192.168.114.xxx E24EABFB Authentication success (LDAP & TOKEN)
2013-10-24 22:22:28 OpenOTP testserver-SSH CN=User Name,CN=Users,DC... 192.168.114.xxx E24EABFB New openotpSimpleLogin request (domain\user)

Two things: How can I get the radius_bridge to pass the custom Client Name instead of using "openOTP" and how can I get the original client IP passed through radius_bridge also to the WebSrv logs?

Administrators

unread,
Oct 25, 2013, 4:09:38 AM10/25/13
to rcdevs-t...@googlegroups.com
With RADIUS it's very simple: Set the NAS-Identifier on your VPN or any other RADIUS client. 
The NAS-Identifier is used for the client ID with RADIUSBridge.

Note: The client ID is not only for the logs. It's mainly used for "client policies": In WebADM you can create a Client Policy Object with the same name as your client ID. Then you can define many things per application or set of application. This is one of the most powerful feature in WebADM.

Kyle Duren

unread,
Oct 28, 2013, 8:22:50 PM10/28/13
to rcdevs-t...@googlegroups.com
Sadly I don't think there is any way to adjust a value like that in the Palo Alto system.

I'll have to double check what value its sending by default....

Administrators

unread,
Oct 29, 2013, 4:21:10 AM10/29/13
to rcdevs-t...@googlegroups.com
According to your log, the Client ID seems to be set to "OpenOTP". So I think there is a setting in PaloAlto VPN which you have set to "OpenOTP" (like the RADIUS connection name or so).
Just change the name of this to "PaloAlto" or something like that - and that's all... 
Reply all
Reply to author
Forward
0 new messages