We are using our Meraki client VPN with the Duo Security proxy server authentication (configured as RADIUS in the Meraki dashboard). The user connects to the Meraki client VPN as normal, after providing their credentials, the MX sends a request to our Duo proxy server, which authenticates the user to Active Directory and then sends the user a push notification on the mobile device, then tells the MX whether it was successful or not to complete the VPN.
The issue we're facing is one user received a push notification to their phone, but had not been attempting to connect to the client VPN, so we are investigating whether her credentials were compromised. The only issue, is that the MX does not track a source address when a client VPN connection is attempted. I contacted support and they were able to see the logs sending the request to the Duo proxy, but no source address. I've checked with Duo as well, but their logs only see what the MX sends to it, which does not have a source address.
I asked support if there was any other way of tracking those attempts, I was thinking of an access rule for the traffic on the VPN port, but they said it wouldn't track a successful connection... I thought that was odd.
Does anyone know of a way we could track this information on a client VPN connection attempt?