Security

last person joined: 14 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Guest Portal behind Reverse Proxy

Jump to Best Answer
  • 1.  ClearPass Guest Portal behind Reverse Proxy

    Posted Jan 24, 2019 04:29 PM

    Hi there,

     

    I just setup the ClearPass Guest portal behind a (haproxy) reverse proxy.

    I made sure HAproxy sends the original client IP address with the X-Forwarded-For header.

    But when I reach the ClearPass Guest Portal it still shows "Device IP" with the IP of the reverse proxy. I would like to see the original device IP that is set on the (standard) X-Forwarded-For header.

    Any idea how to make this work? Is there another header to set or doesn't ClearPass support this scenario?

     

    According to the release notes of 6.7.0, it should work:

    "The Access Tracker showed an F5 Load Balancer IP as a Remote IP instead of a Client IP address.
    ClearPass now looks at the X-Forwarded-For variable to determine the real Client IP Address if the
    request is sent from an external load balancer."


    Thanks.

     



  • 2.  RE: ClearPass Guest Portal behind Reverse Proxy

    Posted Jan 24, 2019 04:35 PM

    Where are you seeing Device IP? Can you post a screenshot?

     

    The release notes you referenced are for TACACS+ and RADIUS.



  • 3.  RE: ClearPass Guest Portal behind Reverse Proxy

    Posted Jan 24, 2019 04:37 PM

    Hi Tim,

     

    https://clearpass.domain.local/guest/mac_create.php?mac=892cdb951129&ip=192.168.1.1

     

    At the form, the Device Ip (endpoint_profile_ip field) that shows is the one for the Reverse Proxy.

    Also, under CPPM > Identity > Endpoints, the "IP Address" is also the one for the reverse proxy.

     

    Thanks.

     



  • 4.  RE: ClearPass Guest Portal behind Reverse Proxy
    Best Answer

    Posted Jan 24, 2019 04:39 PM
    This would require a feature request.


  • 5.  RE: ClearPass Guest Portal behind Reverse Proxy

    Posted Jan 24, 2019 04:39 PM

    Hi Tim,

     

    "The release notes you referenced are for TACACS+ and RADIUS."

     

    Unsure if it does. As far as I undertand, X-Fowarded-For is only valid in the context of HTTP(s) services. I'm refering to Bug ID #41018.

     

    Regards.



  • 6.  RE: ClearPass Guest Portal behind Reverse Proxy

    Posted Jan 24, 2019 04:43 PM
    This specifically was added for TACACS+ admin login to ClearPass.


  • 7.  RE: ClearPass Guest Portal behind Reverse Proxy

    Posted Jan 24, 2019 05:05 PM

    I see.

    So, I followed your advice and created an "Idea" for this.

    Thanks.