Security

Reply
Frequent Contributor I

ClearPass Guest Portal behind Reverse Proxy

Hi there,

 

I just setup the ClearPass Guest portal behind a (haproxy) reverse proxy.

I made sure HAproxy sends the original client IP address with the X-Forwarded-For header.

But when I reach the ClearPass Guest Portal it still shows "Device IP" with the IP of the reverse proxy. I would like to see the original device IP that is set on the (standard) X-Forwarded-For header.

Any idea how to make this work? Is there another header to set or doesn't ClearPass support this scenario?

 

According to the release notes of 6.7.0, it should work:

"The Access Tracker showed an F5 Load Balancer IP as a Remote IP instead of a Client IP address.
ClearPass now looks at the X-Forwarded-For variable to determine the real Client IP Address if the
request is sent from an external load balancer."


Thanks.

 

Guru Elite

Re: ClearPass Guest Portal behind Reverse Proxy

Where are you seeing Device IP? Can you post a screenshot?

 

The release notes you referenced are for TACACS+ and RADIUS.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: ClearPass Guest Portal behind Reverse Proxy

Hi Tim,

 

https://clearpass.domain.local/guest/mac_create.php?mac=892cdb951129&ip=192.168.1.1

 

At the form, the Device Ip (endpoint_profile_ip field) that shows is the one for the Reverse Proxy.

Also, under CPPM > Identity > Endpoints, the "IP Address" is also the one for the reverse proxy.

 

Thanks.

 

Guru Elite

Re: ClearPass Guest Portal behind Reverse Proxy

This would require a feature request.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: ClearPass Guest Portal behind Reverse Proxy

Hi Tim,

 

"The release notes you referenced are for TACACS+ and RADIUS."

 

Unsure if it does. As far as I undertand, X-Fowarded-For is only valid in the context of HTTP(s) services. I'm refering to Bug ID #41018.

 

Regards.

Guru Elite

Re: ClearPass Guest Portal behind Reverse Proxy

This specifically was added for TACACS+ admin login to ClearPass.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: ClearPass Guest Portal behind Reverse Proxy

I see.

So, I followed your advice and created an "Idea" for this.

Thanks.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: