Issue with Client IP exclude list on MFA

Michael_Ross · December 23, 2024, 6:06pm

Hi,
I noticed a very strange behavior in the client IP exclusion list with the Google Authenticator MFA on two RAS 18 installation. It seems that the MFA IP exclusion uses the IP address assigned on the client’s NIC instead of the source IP address used for connecting to the RAS server.
I’ill give a simple example of the potential issue.
RAS server (192.168.10.10) is installed on a headquarter network (192.168.10.0/24) and I’d like to exclude from MFA connection coming from the same subnet. In this example I’ll add an IP exclusion range 192.168.10.1-192.168.10.254 to prevent users inside corporate LAN to enter the OTP. This works great!

But if a user connects from home (or another location) with a public IP, 1.1.1.1 in this example, and his network interface uses 192.168.10.20, he will not get ask to enter the OTP.

MadisonEvans_982 · December 23, 2024, 6:07pm

The only way I was able to get this working for some of our clients was to create 2 gateways (really 4 with load balancers but simplifying for brevity).
Gateway 1 is accessible internally
Gateway 2 is in the DMZ and accessible externally
Internal DNS points to Gateway 1
External DNS points to Gateway 2
We set the exclusion list in the RAS console to bypass 2FA for Gateway 1

If there is a better method I would love to hear it but this was the only way I could get it to work consistently with both Full and HTML5 clients.

Michael_Ross · December 23, 2024, 6:08pm

In the example above there is a single RAS instance in the DMZ.