Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
588 views

L4 switch and using clientIP authorization policy: wrong ip


I'd like to create the following setup:

When the site is accessed by the internal LAN there's not need for
authentication.
When the site is accessed from outside (Internet) there should be and
authentication procedure.

So I configured an authentication policy with Client IP, but I cannot
get this working.
I checked the catalina.out on the AG and shows me that the policy sees
as ClientIP, the IP address from the L4 switch (Cisco ACE).

Is there way the get here the real client IP on the AG?

Version: 4.1


--
gschouten32
------------------------------------------------------------------------
gschouten32's Profile: https://forums.netiq.com/member.php?userid=2546
View this thread: https://forums.netiq.com/showthread.php?t=56404

0 Likes
3 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

gschouten32;2436570 wrote:
I'd like to create the following setup:

When the site is accessed by the internal LAN there's not need for
authentication.
When the site is accessed from outside (Internet) there should be and
authentication procedure.

So I configured an authentication policy with Client IP, but I cannot
get this working.
I checked the catalina.out on the AG and shows me that the policy sees
as ClientIP, the IP address from the L4 switch (Cisco ACE).

Is there way the get here the real client IP on the AG?

Version: 4.1


--
gschouten32
------------------------------------------------------------------------
gschouten32's Profile: https://forums.netiq.com/member.php?userid=2546
View this thread: https://forums.netiq.com/showthread.php?t=56404


I could've sworn this was asked elsewhere in this forum, but can't seem to find the thread (the search can't even find your thread, LOL).

Anyway, I believe there's some setting on the L4 switch to allow the client IP to pass through rather than re-writing, but I could be wrong.
Normally the incoming request would appear to be from the VIP of the L4 switch, but I'm fairly certain there's a way to change this, but it depends on the Cisco gear.

Again, I could be wrong. However, not sure if that'll have unintended consequences if you're also clustering/load balancing your NAM IDS behind the same Cisco gear (you need network segregation between the AG and IDS so that they don't talk directly to each other, but rather through the VIP).

--Kevin
0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class


Thanks for the response.
The IDP is also balanced by the Cisco, and is in a different subnet.

We have a custom X-Forwarded-For header with the real clientIP from the
Cisco, which I can use on the AG.
Is there a way to use this header information in a AG authorization
policy to determine the client.


--
gschouten32
------------------------------------------------------------------------
gschouten32's Profile: https://forums.netiq.com/member.php?userid=2546
View this thread: https://forums.netiq.com/showthread.php?t=56404

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

gschouten32;2436662 wrote:
Thanks for the response.
The IDP is also balanced by the Cisco, and is in a different subnet.

We have a custom X-Forwarded-For header with the real clientIP from the
Cisco, which I can use on the AG.
Is there a way to use this header information in a AG authorization
policy to determine the client.


--
gschouten32
------------------------------------------------------------------------
gschouten32's Profile: https://forums.netiq.com/member.php?userid=2546
View this thread: https://forums.netiq.com/showthread.php?t=56404


To be honest, I am not sure.

The docs indicate it can be done, but I don't know about a CUSTOM header.

https://www.netiq.com/documentation/access-manager-42/admin/data/b5545wo.html#b4cdsz3
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.