Malicious authentication attempts, including password spraying and brute force attacks, often target accessible VPN gateway endpoints. In some cases, geofencing and other best practice mitigations are not effective β while you can block specific countries, you may not be able to see the attacker's IP address directly.
Okta recommends a proactive approach that filters client requests before malicious authentication attempts reach the authentication phase, rather than reacting after the fact. For a full overview of hardening your RADIUS configuration, see Securing RADIUS authentication 
and RADIUS Integrations. 
Capturing the attacker's IP address
To capture the attacker's IP address, check whether your RADIUS application in Okta has Advanced RADIUS Settings. If available, enable the Report Client IP option as shown below. Note that not all gateways are able to include client IP information in a RADIUS attribute.
The Client IP is mapped to a specific RADIUS attribute β Calling-Station-Id for example β which the Okta RADIUS agent uses to extract the client IP and add it to the X-Forwarded-For header when making an authentication request to Okta. For more detail on how this works, see Client IP Reporting. 
Client IP is mapped to specific attribute (Calling-Station-Id for example) which is where the Okta RADIUS agent will look to extract the client IP and add it to the X-Forwarded-For header when it makes an authentication request to Okta.