Skip to main content

Additional client IP addresses

Capturing additional client IP addresses

A client may exhibit behaviour where multiple IP addresses are observed as part of the authentication request. Situations such as:

  • Internal IP addresses (eg: 10.0.x.x / RFC1918), should the Server (or MYIP component) be Internally hosted.
  • Round-robin IP address assignment, as part of CGNat masquerading for stateless protocols.
  • Varying source/client IP addresses for stateful (eg: SSH, RDP) protocols versus stateless (eg: HTTP/HTTPS) or ports such as 443/tcp.

Another example may be where a Knocknoc Server is hosted and accessible for some users via an internal (eg: RFC1918, 192.168.x) IP address, but you want certain ACLs to additionally receive the external IP address for the same user.  Alternatively you may cloud/externally host the Knocknoc server, but still want to capture internal IP addresses.

Knocknoc has support for this within the ACL structure via the "Include additional IP addresses" option, however must first be enabled in the Admin Settings page.

additional-acl.png

The additional IP addresses observed can then be added to the grant list, only if the option is enabled per ACL. This allows you to only expand the IP addresses for a particular ACL.acl-additional.png

You can develop and host your own component that fits the expected IP address response, eg: a Microsoft .Net, Java or Node/Go/PHP microservice/function, and configure Knocknoc to use this to capture the relevant IP addresses in the parts of your organisation that matter.

Get in touch to talk to us about this option.

Back to top