Security

Hi there,

I just setup the ClearPass Guest portal behind a (haproxy) reverse proxy.

I made sure HAproxy sends the original client IP address with the X-Forwarded-For header.

But when I reach the ClearPass Guest Portal it still shows "Device IP" with the IP of the reverse proxy. I would like to see the original device IP that is set on the (standard) X-Forwarded-For header.

Any idea how to make this work? Is there another header to set or doesn't ClearPass support this scenario?

According to the release notes of 6.7.0, it should work:

"The Access Tracker showed an F5 Load Balancer IP as a Remote IP instead of a Client IP address.
ClearPass now looks at the X-Forwarded-For variable to determine the real Client IP Address if the
request is sent from an external load balancer."

Thanks.

Where are you seeing Device IP? Can you post a screenshot?

The release notes you referenced are for TACACS+ and RADIUS.

Hi Tim,

https://clearpass.domain.local/guest/mac_create.php?mac=892cdb951129&ip=192.168.1.1

At the form, the Device Ip (endpoint_profile_ip field) that shows is the one for the Reverse Proxy.

Also, under CPPM > Identity > Endpoints, the "IP Address" is also the one for the reverse proxy.

Thanks.

Hi Tim,

"The release notes you referenced are for TACACS+ and RADIUS."

Unsure if it does. As far as I undertand, X-Fowarded-For is only valid in the context of HTTP(s) services. I'm refering to Bug ID #41018.

Regards.

I see.

So, I followed your advice and created an "Idea" for this.

Thanks.

Hi All,

Is this feature now available? Any release notes for this? We have F5 in our deployment and we are about to load-balance the OnGuard HTTPS and TCP 6658 traffic, and about to discuss it with F5 principal. TAC Case opened for this: 5390248464.
Main topic to discuss is whether we should go for one-arm F5 design or two-arm (which I do not really understand), and whether ClearPass needs to return back the TCP traffic through F5 and does not let asymmetric routing to happen. I am not so experienced in networking, so I would like some help from anyone here.

Cheers. Thanks beforehand.

Yes, I was able to reverse proxy ClearPass WebUI (including Administration and Guest Portal) behind Fortigate Virtual Server and pfSense HAProxy. It's possible and works as expected, which makes easier to use Let's Encrypt certificates through ClearPass. Other possibility is using a third party script to upload a Let's Encrypt certificate automatically to ClearPass before it expires if you have difficulties in making it to work.

I ask the TAC like this @ the case number 5390248464    

"

Could you please get back to me on this quick:

• Does the CPPM need to know the client's IP address?

Because F5 is acting as full-proxy, and sometimes in their design, it will do Source-NAT. So, if the F5 does Source-NAT, and F5 maintains the Source IP in a X-Forwarded-For packet, can the CPPM read the X-Forwarded-For packet and see the original client IP even though F5 does the Source-NAT?

Let me know if you need further clarification.

"

Is there any documents stating CPPM able to read XFF ?