AAA, NAC, Guest Access & BYOD

How to do WEB/Application Authentication request from an external server against CPPM?
Requirement:

This article is to explain how to post XML request to Clearpass server to perform a WEB authentication or Application authentication request from an external source. If the user case is to perform WEBAUTH -authentication or Application authentication against Clearpass from an external server, below is the XML format which Clearpass expects the data format to be: 



Solution:

In order to perform a custom web login request from an external source to authenticate users against Clearpass, Policy server expects the post to be in a specific format to accept it as a web authentication or app authentication request. Once the request is validated, Clearpass Policy module shall compute based on service configured in Clearpass and send back the response based on the enforcement profile mapped in the service. 



Configuration:

Clearpass Policy Manager requires the below XML format to accept it as a valid request in order to process the request. 

 

WEB AUTHENTICATION:

 

Post URL has to be: 

https://<Clearpass_IP>/networkservices/webauthservice/v2/Access/

Content of Post (in XML format with content-type as XML):

<?xml version="1.0" encoding="UTF-8"?>
<AuthRequest xmlns="http://www.avendasys.com">
<Username>username</Username>
<Password>clear_text_password</Password>
<NetworkInterfaceInfo>
<MacAddress>client_mac_address</MacAddress>
<IpAddress>ip_address_of_client</IpAddress>
</NetworkInterfaceInfo>
<Attributes Name="Application:WebLoginURL:mac" Value="mac_address"/>
</AuthRequest>

 

Mandate fields in the request are: 

<?xml version="1.0" encoding="UTF-8"?>
<AuthRequest xmlns="http://www.avendasys.com">
<Username>username</Username>
<Password>password</Password>
</AuthRequest>

 

APP AUTHENTICATION:

 

Post URL has to be: 

https://<Clearpass_IP>/networkservices/webauthservice/v2/AppLogin/

Content of Post (in XML format with content-type as XML):

<?xml version="1.0" encoding="UTF-8"?>
<AppLoginRequest xmlns="http://www.avendasys.com">
<Username>username</Username>
<ApplicationName>WebLogin</ApplicationName>
<Password>password</Password>
<NetworkInterfaceInfo>
<IpAddress>remote_IP_addr</IpAddress>
</NetworkInterfaceInfo>
<Attributes Name="Application:ClearPass:Page-Name" Value="page_value"/>
</AppLoginRequest>

 

Mandate fields in XML are: 

<?xml version="1.0" encoding="UTF-8"?>
<AppLoginRequest xmlns="http://www.avendasys.com">
<Username>username</Username>
<ApplicationName>WebLogin</ApplicationName>
<Password>password</Password>
</AppLoginRequest>



Verification

The response from the server is fetched from 'status' attribute in the reply message as shown below: 

WEB Authentication:

Sample Response: 

Success:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuthStatus 
    xmlns="http://www.avendasys.com">
    <Status>SUCCESS</Status>
    <OpaqueAuthState>6250675169696F4B4D6B4  <truncated output> 48504E</OpaqueAuthState>
</AuthStatus>

Failed:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuthStatus 
    xmlns="http://www.avendasys.com">
    <Status>FAILED</Status>
    <StatusMessage>Authentication Failed</StatusMessage>
</AuthStatus>

 

Below is a sample request using PostMan API extension in chrome browser to authenticate user: 

Success Request example:

Failed request example: 

 

App Authentication: 

 

Sample Response: 

Success:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AppLoginResponse 
    xmlns="http://www.avendasys.com">
    <Status>SUCCESS</Status>
    <Attributes Name="AuthRequestId" Value="W00000015-02-57c3d447"/>
</AppLoginResponse>

Failed:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AppLoginResponse 
    xmlns="http://www.avendasys.com">
    <Status>FAILED</Status>
    <StatusMessage>Authentication Failed</StatusMessage>
    <Attributes Name="AuthRequestId" Value="W00000016-02-57c3d460"/>
</AppLoginResponse>

 

Below is a sample request using PostMan API extension in chrome browser to authenticate user: 

Success Request example:

Failed request example: 

 

In order to compute these request in Clearpass, below are some sample request filter and response enforcement: 

Web Auth: 

  • For a web authentication request, below field request shall be filtered, as the connection protocol is 'Authentication'. 

  • Response shall only be Post_Auth enforcement or Radius_COA or HTTP bases enforcement. 
  • User-Agent browser data also shall be computed, as the web authentication request send this data by default to Clearpass. 

 

App Auth: 

  • Connection protocol for App authentication request will be 'Application' and application name is mandated to one of the below:
    • WebLogin
    • Guest
    • GuestOperator
    •  Insight
    • PolicyManager. 
    • Onboard
    • SSO
    • Clearpass
  • Response shall be Application enforcement or Post_Auth enforcement or Radius_COA or HTTP bases enforcement.

 

Version History
Revision #:
2 of 2
Last update:
‎03-27-2017 03:15 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.