AAA, NAC, Guest Access & BYOD

How to create a Static Host List through a REST API call to Clearpass
Requirement:

You might want to be able to create a Static Host List on CPPM through an API call rather than creating manually. 



Solution:

This article shows us how we can create a Static Host List by making a REST API call to ClearPass. 



Configuration:

This article assumes that the initial configuration of ClearPass for making REST API calls is done. If that is not done please go through the document attached and do the initial configuration for making ClearPass allow REST API calls.

Once we are in a state where we are able to perform API calls to ClearPass we would have already been using "Bearer" access token. Using that access token we can make the API call.

The first thing we need to verify is the privilege level for the access token. You can make the following API call to get the privilege level

 

curl -X GET "https://<ClearPass IP/hostname>/api/oauth/privileges" \
     -H "Accept: application/json" \
     -H "Authorization:Bearer fead747cd31974052513e36ba7360d87717add12" \
     -m 30 \
     -v \
     -k 

The output for the above call would list all the privileges available for that access token

{
  "privileges": [
    "#support_contact",
    "#support_docs",
    "#support_index",
    "#support_resources",
    "admin",
    "admin_backup",
    "admin_content",
    "admin_data_retention",
    "admin_restore",
    "advertising_services",
    "airgroup_config",
    "airgroup_index",
    "api_clients",
    "api_index",
    "apigility",
    "auth_config",
    "auth_index",
    "auth_ldap",
    "auth_profiles",
    "change_expiration",
    "cip_index",
    "cip_list",
    "cppm_access_controls",
    "cppm_admin_privileges",
    "cppm_admin_users",
    "cppm_attributes",
    "cppm_auth_methods",
    "cppm_cluster_wide_parameters",
    "cppm_config",
    "cppm_context_server_actions",
    "cppm_endpoints",
    "cppm_fingerprints",
    "cppm_local_users",
    "cppm_network_device_groups",
    "cppm_network_devices",
    "cppm_network_proxy_targets",
    "cppm_roles",
    "cppm_server_snmps",
    "cppm_servers",
    "cppm_service_control",
    "cppm_static_host_list",
    "create_multi",
    "create_user",
    "engine",
    "engine_config",
    "engine_log",
    "engine_object_acl",
    "extension_config",
    "extension_control",
    "extension_instance",
    "extension_logs",
    "extension_store",
    "full-user-control",
    "guest_customize",
    "guest_export",
    "guest_import",
    "guest_multi",
    "guest_password",
    "guest_print_list",
    "guest_sessions",
    "guest_sessions_history",
    "guest_show_details",
    "guest_users",
    "guestmanager",
    "hotspot-manager",
    "hotspot_manage_customer_info",
    "hotspot_manage_invoice",
    "hotspot_manage_plans",
    "hotspot_manage_signup",
    "hotspot_manage_ui",
    "hotspot_processors",
    "insight_administration",
    "insight_alerts",
    "insight_config",
    "insight_dashboard",
    "insight_endpoints",
    "insight_reports",
    "mac_create",
    "mac_list",
    "mdps_ca",
    "mdps_config",
    "mdps_create_ca",
    "mdps_create_csr",
    "mdps_csc_import",
    "mdps_delete_certificate",
    "mdps_device_manage",
    "mdps_export_ca_key",
    "mdps_export_private_key",
    "mdps_index",
    "mdps_issue_certificate",
    "mdps_own_device_delete",
    "mdps_own_device_disable",
    "mdps_own_device_enable",
    "mdps_own_device_manage",
    "mdps_revoke_certificate",
    "mdps_shared_device_delete",
    "mdps_shared_device_disable",
    "mdps_shared_device_enable",
    "mdps_shared_device_manage",
    "mdps_view_certificate",
    "mdps_view_own_certificate",
    "pass_cert_install",
    "pass_cert_view",
    "pass_config",
    "pass_index",
    "pass_template",
    "platform",
    "platform_authentication",
    "radius_weblogins",
    "remove_account",
    "reset_password",
    "sms-admin",
    "sms-receipt",
    "sms-send",
    "sms_setup",
    "smtp",
    "smtp_config",
    "smtp_send",
    "soap_api",
    "soap_config",
    "soap_services",
    "translation_assistant",
    "translation_review",
    "user-logins",
    "xmlrpc"
  ]
}

 

To make an API call to create/modify/view a Static Host List we need to make sure that the cppm_static_host_list privilege is listed as one of the privilege. If that is not returned as a privilege then we need to understand that  the access token that we are using does not have the privilege level and we need to either create a new API client or modify the existing API client.

The API client we are using should have Super Administrator as the Operator Profile

 

If your Clearpass system is an upgraded system from earlier versions to Clearpass 6.6 or for some reason you are not seeing the Super Administrator as an Operator profile then you need to create a new Operator Profile called Super Administrator with the privileges as shown in the screenshot below

Once we have the right operator profile mapped to the API Client there are 2 options for Grant Type 

If you choose Client credentials as the Grant Type then you can directly use the Client Secret that would be shown immediately for generating the Access token.

However if you choose Username and password as the Grant Type then you need to use the client secret along with the appropriate username/password that assigns the Operator profile called Super Administrator. 

(Remember that this ties to OAuth2 API User Access Service on ClearPass and also the translation rules in ClearPass Guest. The steps on how to generate an access token are covered in detail in the document attached)

 

Once we make sure that the cppm_static_host_list is part of the privileges we can make the following API calls to create/modify/view Static Host Lists

Create a Static Host List

curl -X POST "https://<ClearPass IP/hostname>/api/static-host-list" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer fead747cd31974052513e36ba7360d87717add12" \
     --data '{
  "name": "REST-SHL",
  "description": "SHL created through REST API call",
  "host_format": "list",
  "host_type": "MACAddress",
  "value": "aa:bb:cc:dd:ee:ff,aa:bb:cc:dd:ee:11"
             }'\
            -m 30 \
            -v \
            -k

If the creation is successful you would get HTTP 2xx status code. If it fails for some reason you might get a different HTTP status code.

You can include multiple MAC addresses separated by a comma as shown above and similarly you can also create a Static Host List of IP addresses. The model for the kind of data allowed is below

StaticHostList {

id (integer, optional): Numeric ID of the static host list,

name (string, optional): Name of the static host list,

description (string, optional): Description of the static host list,

host_format (string, optional) = ['subnet' or 'regex' or 'list']: Format of the static host list,

host_type (string, optional) = ['IPAddress' or 'MACAddress']: Host type of the static host list,

value (string, optional): List of static hosts in the selected format

}

To fetch the list of Static Host Lists

 

curl -X GET "https://10.17.164.122/api/static-host-list" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer fead747cd31974052513e36ba7360d87717add12" \
            -m 30 \
            -v \
            -k

 

To delete a Static Host List

 

curl -X DELETE "https://<ClearPass IP/hostname>/api/static-host-list/3007" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer fead747cd31974052513e36ba7360d87717add12" \
            -m 30 \
            -v \
            -k

where 3007 is the id of the Static Host List. You can get the ID of the Static Host List by performing a GET on Static Host Lists.

 

Similarly you can also update an existing Static Host List using the PATCH method where 3006 is the id of the Static Host List

curl -X PATCH "https://10.17.164.122/api/static-host-list/3006" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer fead747cd31974052513e36ba7360d87717add12" \
     --data '{
  "value": "aa:bb:cc:dd:ee:ff,aa:bb:cc:dd:ee:11,aa:bb:cc:dd:ee:22"
               }'\
            -m 30 \
            -v \
            -k

Please note that Delete and Update of Static Host lists can also be performed based on name not only based on id.

 

 



Verification

Verification for each operation can be done by examining the Status Code and response data for each API call

 

Create SHL Response for the Create done in the configuration above

 

{
  "id": 3007,
  "name": "REST-SHL",
  "description": "SHL created through REST API call",
  "host_format": "list",
  "host_type": "MACAddress",
  "value": "aa:bb:cc:dd:ee:ff,aa:bb:cc:dd:ee:11",
  "_links": {
    "self": {
      "href": "https://<ClearPass IP/HostName>/api/static-host-list/3007"
    }
  }
}

 

View SHL Response

{
  "_links": {
    "self": {
      "href": "https://<ClearPass IP/HostName>/api/static-host-list?calculate_count=false&offset=0&limit=25&sort=%2Bid&filter=%7B%7D"
    },
    "first": {
      "href": "https://<ClearPass IP/HostName>/api/static-host-list?calculate_count=false&offset=0&limit=25&sort=%2Bid&filter=%7B%7D"
    }
  },
  "_embedded": {
    "items": [
      {
        "id": 3007,
        "name": "REST-SHL",
        "description": "SHL created through REST API call",
        "host_format": "list",
        "host_type": "MACAddress",
        "value": "aa:bb:cc:dd:ee:ff,aa:bb:cc:dd:ee:11",
        "_links": {
          "self": {
            "href": "https://<ClearPass IP/HostName>/api/static-host-list/3007"
          }
        }
      }
    ]
  }
}

 

Delete SHL Response 

Response Body

no content

Response Code

204

 

 

 


Attachments:
Using the ClearPass HTTP APIs.pdf
Version History
Revision #:
2 of 2
Last update:
‎11-15-2016 10:31 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.