Security

Hi there,

I just setup the ClearPass Guest portal behind a (haproxy) reverse proxy.

I made sure HAproxy sends the original client IP address with the X-Forwarded-For header.

But when I reach the ClearPass Guest Portal it still shows "Device IP" with the IP of the reverse proxy. I would like to see the original device IP that is set on the (standard) X-Forwarded-For header.

Any idea how to make this work? Is there another header to set or doesn't ClearPass support this scenario?

According to the release notes of 6.7.0, it should work:

"The Access Tracker showed an F5 Load Balancer IP as a Remote IP instead of a Client IP address.
ClearPass now looks at the X-Forwarded-For variable to determine the real Client IP Address if the
request is sent from an external load balancer."

Thanks.

Where are you seeing Device IP? Can you post a screenshot?

The release notes you referenced are for TACACS+ and RADIUS.

Hi Tim,

https://clearpass.domain.local/guest/mac_create.php?mac=892cdb951129&ip=192.168.1.1

At the form, the Device Ip (endpoint_profile_ip field) that shows is the one for the Reverse Proxy.

Also, under CPPM > Identity > Endpoints, the "IP Address" is also the one for the reverse proxy.

Thanks.

Hi Tim,

"The release notes you referenced are for TACACS+ and RADIUS."

Unsure if it does. As far as I undertand, X-Fowarded-For is only valid in the context of HTTP(s) services. I'm refering to Bug ID #41018.

Regards.

I see.

So, I followed your advice and created an "Idea" for this.

Thanks.