AAA, NAC, Guest Access & BYOD

How to create, update, delete ClearPass Guest Accounts using REST API
Requirement:

From ClearPass version 6.5 onwards we support REST API calls for performing most Guest operations as seen in the screenshot below. 

This article covers creating, updating, deleting, fetching ClearPass guest accounts using REST API calls. 

 

 

 



Solution:

We assume that you have gone through the steps required to get the API Integration running. If that's not done please go through the document attached to get things started.

The Bearer oauth token that is in use in the examples below has been generated by following the steps attached in the document. 

API call to create a new guest account

To create a new account the primary fields are username, password, role_id. The other attributes can be included upon requirement. Please note that the expire_time needs to be in epoch format.

curl -X POST "https://<ClearPass IP/hostname>/api/guest" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer a6d2873200bee25768307c32ee22415ac8ad203a" \
     --data '{
  "enabled": true,
  "expire_time": "1438562410",
  "password": "Aruba@!23$",
  "role_id": 2,
  "username": "testaccount"
                }'\
            -m 30 \
            -v \
            -k

The response from the server would tell us the status of the request. If you get an HTTP 200 status code as a response with data telling us details about the account, we are good. Any other HTTP status code would indicate a problem.

API call to update a guest account

To update a guest account you need to know the ID of the account.  You would get the ID as a response when the account gets created. If you want to get the ID of the account otherwise, we can do a HTTP GET with the username as the filter and capture the ID from it. The ID for the Guest account we are trying to update is 3066. Please not that the ID of the account needs to be appended as a part of the URL. The HTTP Status Code that you would get for a successful update operation is HTTP 200 with the updated data.

    curl -X PATCH "https://<ClearPass IP/hostname> /api/guest/3066" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer a6d2873200bee25768307c32ee22415ac8ad203a" \
     --data '{
  "enabled": true,
  "password": "Clearpass!23$",
  "role_id": 2,
  "username": "testaccount"
                 }'\
              -m 30 \
               -v \
               -k

API call to delete a guest account

To delete a guest account as well we need the ID of the guest account. The status code you would see as a response for a successful delete operation is HTTP 204 with no data.

curl -X DELETE "https://<ClearPass IP/hostname>/api/guest/3066" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer a6d2873200bee25768307c32ee22415ac8ad203a" \
            -v \
            -k

 

API call to fetch a guest account details

If we want to fetch details about a specific guest account we need to append the ID to the URL and perform a HTTP GET. The HTTP Status code that we get as a response for a a successful fetch along with the account data is HTTP 200. 

curl -X GET "https://<ClearPass IP/hostname>/api/guest/3066" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer a6d2873200bee25768307c32ee22415ac8ad203a" \
           -m 30 \
            -v \
            -k



Configuration:

The configuration required is covered in the document attached.  



Verification

To verify that all the operations are being performed via the API call we can login to the Guest module and observe the Manage guest accounts page.

Verification of the create account

 

 

Verification of the update account 

 

Verification for fetch account details

When you do a fetch operation you would see the data being returned in JSON Format.

{
  "id": "3066",
  "username": "testaccount",
  "start_time": 1437765026,
  "expire_time": 1438562410,
  "sponsor_name": "apicall",
  "sponsor_profile": "1",
  "enabled": true,
  "current_state": "active",
  "notes": null,
  "visitor_carrier": null,
  "role_name": "[Guest]",
  "role_id": 2,
  "sponsor_profile_name": "IT Administrators",
  "source": "api",
  "_links": {
    "self": {
      "href": "https://<clearpass IP>/api/guest/3066"
    }
  }
}

Verification of delete guest account

 


Attachments:
Getting_Started_ClearPass_6.5_HTTP_APIs.docx
Version History
Revision #:
2 of 2
Last update:
‎07-31-2015 02:05 AM
Updated by:
 
Labels (1)
Contributors
Comments
ployrinz

 Hi all,

        We are integrating CPPM 6.5 with our in-house Orchestrator using REST API. We followed through these steps but when we are in API Explorer - Operator Login - GetPrivileges , we get the error code 403. 

 

       We are trying to access the attributes from the guest users on whether its authenticated. Any idea where can we look into?

Hello,

 

The reason you are getting the 403 error code is beacuse you first need to get a token, in order to check for authorization. You can get this token via running a CURL against the CPPM server. Below is an example.

 

The following example is using a widely deployed command line tool found in many operating systems call cURL. More details on the cURL client can be found on the following website. (http://curl.haxx.se/)
curl -X POST "https://test.clearpassbeta.com/api/oauth" \
     -H "Content-Type: application/json" \
     -d $'{"grant_type": "password", "username": "qa", "password": "aruba123", "client_id": "QuickAccess"}' \
     -m 30 \
     -v \
     -k

* Note – if you are using the Windows version of cURL you may need to remove the slashes ( \ ) and collapse the entire command into a single line.
If the configuration of the ClearPass server is correct, a JSON object similar to the one below should be returned. The JSON object contains the following attribute value pairs:
•	access_token : to token associated with the authorized user
•	expires_in : the above access token will expire in x seconds
•	token_type : bearer token will be included in all subsequent API calls
•	scope : reserved for future use in ClearPass 
•	refresh_token : to be stored to recovering a new access token on expiry
{"access_token":"81d3136c9025c394222d6202375924d30330ce9a","expires_in":28800,"token_type":"Bearer","scope":null,"refresh_token":"2fb63c38824eb2c0c75bf3894eda9109019b8c86"}

 

 

efisher214

Instead of hardcoding the password in the API call, how can you use the built-in password generator to create a password for the user? In addition, when trying the example above, the call creates a user with expire_time field equal to 0 (no expiry). How can you set the value for 24 hours from the start_time?

Hello,

 

I believe you are talking about a Guest user here. 

 

Here you can use a query as following, without a password field:

 

curl -X POST "http://x.x.x.x/api/guest" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer 6640dea23f1364c50eb8765652214db057d54a5c3" \
--data '{
"enabled": true,
"expire_time": "'$((`date +%s`+86400))'",
"role_id": 2,
"username": "testaccountd"
}'\
-m 30 \
-v \
-k

 

This will create a new Guest user account with a password, based on the password setting you have configured under Guest > configuration > Guest Manager > Password Options:

  guest-pass.JPG

 

In my example i used expire time field as well, with a future time value using bash ("expire_time": "'$((`date +%s`+86400))'",) which will set an expiration time of 24 hours from start time.

 

guest-pass3.JPG

 

Hope this answers your query.

efisher214

All of the testing I am doing is being done in the API explorer. I copied and pasted your expire_time field entry above and I am getting a expire time of 0 rather than 24 hours from now. In addition, while my config is set to randomly generate a password, it does not when using the API call.


Does the API explorer not execute everything?

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.