Provide IP Address in Duo Request

[gw-uber]

We are looking for Vault to provide the IP address of the request coming from Vault to a Duo challenge after successful LDAP authentication.

We are trying to implement IP address restrictions for our instance of Vault. However, when a Duo challenge request is made, there is no IP address (IPv4 or v6) passed with that request (see screenshot from Duo audit logs, Vault sends 0.0.0.0)
. We are requesting that Vault send it's host system's IP address (ex: our AWS cluster where Vault is deployed) with any Duo request so that it can be recorded in Duo's logs and if not on the Duo whitelist, blocked.

This is a p0 blocker for us as we need Vault to send the IP address of the host/requesting system to Duo so our Duo api can record the incoming IP address from these access requests, log them, and filter those that are not in the range that we have whitelisted.

The desired outcome for this FR is that when a Duo mfa challenge happens, the corresponding request, with the Duo passcode, that comes from our Vault instance includes the IP address of the host system so that it can a) be blocked if it is not in the whitelisted range and b) be recorded in the Duo audit logs. Currently there is no workaround for this.

We have this PR. There is also a similar PR from Duo: [here]("Networks for API access" feature for Auth API)

tl;dr: We want Vault to include it's source IP address when sending any Duo request

[finnstech]

@gw-uber thanks for posting this request and also the related PR. I've added them to Jira so we can evaluate them as part of the MFA improvements for upcoming releases. We will keep you posted about this issue.

[heatherezell]

This has been addressed in: #18811
Thanks for bringing it up!