Privacyidea with a public IP

kobbygl · March 10, 2023, 11:43am

Hi guys

We have set up PrivacyIDEA in the cloud to serve all our sites. I need deferent devices in each site (firewall, VPN, switches) to authenticate over the internet. All the sites are behind NAT. for example

Site A with the public IP 161.134.2.54

Firewall/VPN 192.168.55.1
Switch.1 192.168.55.2
Switch.2 192.168.55.3

My PrivacyIDEA with radius public IP is 44.126.76.231

How do I configure PrivacyIDEA with “Override Authorization Client” to be able to see the equipment private IP and not 127.0.0.1? I’ve tried just the site public IP 161.134.2.54 and 192.168.55.2>161.134.2.54. But nothing is working. I’m assuming my formatting of “Override Authorization Client” is incorrect or do I need to tick a box somewhere else as well?

This is so I can create one policy for the switches and one for the VPN.

Thanks

cornelinux · March 12, 2023, 8:42am

Please read this again:

https://privacyidea.readthedocs.io/en/latest/configuration/system_config.html#override-authorization-client

It should be obvious, which IP address you need to enter there.
There are even examples.

Thanks a lot.

kobbygl · March 12, 2023, 4:42pm

Thanks, but I have already. Obviously I’m doing something wrong. My radius client is behind a firewall/NAT and I’m not sure if “Override Authorization Client” needs to have the public IP or the private IP of the radius client.

cornelinux · March 12, 2023, 8:54pm

Is it not clear, that it is the IP address seen by the privacyIDEA server?

kobbygl · March 22, 2023, 5:00pm

I thought you could pass through the private IP of the radius client. In my situation, I’ll have several radius clients behind one public IP. I was hopping I can create deferent sets of policies based on private IPs.

cornelinux · March 23, 2023, 1:47pm

This is ment to be used to pass the RADIUS client IP. But: You need to configure the right IP address to allow the override.