ArubaOS and Controllers

Reply
Occasional Contributor II

API to blacklist and/or kick auth'd user offline

All,

Going through the ArubaOS docs that talk about the API, it looks like there are a couple ways to do what i'm looking for and I figured I'd ask you all what the best/preferred method is for the following:

1. Via API, kick a RADIUS auth'd user off the wireless network and force them to re-auth (which, in my case, will force them into a different role

2. a) Via API, blacklist a user so that they cannot connect at all
b) Via API, unblacklist this user

Thanks for any input!
Eric
Guru Elite

Depends

It depends on what you have. If you have a server that will submit XML-API requests, use that. if you have a server that can login to the controller via SSH and do a "stm blacklist", do that. It all depends on your talent.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: API to blacklist and/or kick auth'd user offline

Thanks for the quick reply.... we've decided to do the XML-API and were looking for the actual calls to do the items I listed. Are all 3 possible via the API?
Guru Elite

Xml-api

To be explicit, this is what you do (this example is on my macbook using curl):

You add the server that will be doing the call to the AAA profile of that SSID as an XML-API server. You first create the XML API server that will be doing the calls under Configuration> Security> Servers> XML-API servers (add). Next, add that XML API server to the AAA profile of that SSID.
Lastly, you make a call from that server using curl:

curl -vikd "xml=
192.168.15.254
00:25:00:37:b7:f2
admin
cleartext
1.0
" -H "Content-Type: text/xml" https://1.1.1.1/auth/command.xml

In this case, the command was user_blacklist, the mac of the user is between the macaddr tags, and the preshared key that is shared between the XML API server and the XML API definition on the controller is between the Key tag. In all cases, the user must already be in the user table. Below is the output;

* About to connect() to 1.1.1.1 port 443 (#0)
* Trying 1.1.1.1... connected
* Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using EDH-RSA-DES-CBC3-SHA
* Server certificate:
* subject: C=US, O=securelogin.arubanetworks.com, OU=businessprofile.geotrust.com/get.jsp?GT28470348, OU=See www.geotrust.com/resources/cps (c)06, OU=Domain Control Validated - QuickSSL Premium(R), CN=securelogin.arubanetworks.com
* start date: 2006-06-30 00:23:28 GMT
* expire date: 2011-06-30 00:23:28 GMT
* common name: securelogin.arubanetworks.com (does not match '1.1.1.1')
* issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
* SSL certificate verify ok.
> POST /auth/command.xml HTTP/1.1
> User-Agent: curl/7.19.4 (universal-apple-darwin10.0) libcurl/7.19.4 OpenSSL/0.9.8k zlib/1.2.3
> Host: 1.1.1.1
> Accept: */*
> Content-Type: text/xml
> Content-Length: 333
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Thu, 17 Sep 2009 23:06:14 GMT
Date: Thu, 17 Sep 2009 23:06:14 GMT
< Server:
Server:
< Content-Length: 101
Content-Length: 101
< Connection: close
Connection: close
< Content-Type: text/xml
Content-Type: text/xml


If you do not specify the XML-API server in the controller and attach it to the AAA profile of that SSID, you will get the following at the end:


Error
11
client not authorized

* Closing connection #0
* SSLv3, TLS alert, Client hello (1):



You can do other commands like:

user_add Add a user into the switches user table
user_delete Remove a user from the switches user table
user_authenticate Authenticate a user using the switches configured authentication mechansim
user_blacklist Deny assocation requests for this user
user_query Returns the current state of the user

You can use other tags like:

ipaddr IP address of the user in A.B.C.D format
macaddr MAC address of the user aa:bb:cc:dd:ee:ff format (with colons)
user Name of the user. It is a string of maximum size 64
role Role name is a string of maximum size 64
password The password of the user to use when authenticating the user
session_timeout Session timeout in minutes. User will be disconnected after expiry
of this time period.
authentication Authentication method to authenticate the message and sender.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: API to blacklist and/or kick auth'd user offline

Killer info, thanks for taking the time to help us out. I imagine we'll be good from here, but I'll post back if that changes.
Occasional Contributor II

Re: API to blacklist and/or kick auth'd user offline

let's assume we don't have the ip address we want to "user-delete" or "user-blacklist". in most cases, we only have the username. Is there a way to do a regular expression via the "user-xxxx" commands or a way to query the controller via the API to get the IP or MAC info for a user?

TIA,
Eric
Guru Elite

Query by Username

This is a query that I did by username. Note all the info I got back:

curl -vikd "xml=
> cjoseph
> key
> cleartext
> 1.0
>
" -H "Content-Type: text/xml" https://192.168.1.3/auth/command.xml
* About to connect() to 192.168.1.3 port 443 (#0)
* Trying 192.168.1.3... connected
* Connected to 192.168.1.3 (192.168.1.3) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using EDH-RSA-DES-CBC3-SHA
* Server certificate:
* subject: C=US; O=securelogin.arubanetworks.com; OU=businessprofile.geotrust.com/get.jsp?GT28470348; OU=See www.geotrust.com/resources/cps (c)06; OU=Domain Control Validated - QuickSSL Premium(R); CN=securelogin.arubanetworks.com
* start date: 2006-06-30 00:23:28 GMT
* expire date: 2011-06-30 00:23:28 GMT
* common name: securelogin.arubanetworks.com (does not match '192.168.1.3')
* issuer: C=US; O=Equifax; OU=Equifax Secure Certificate Authority
* SSL certificate verify ok.
> POST /auth/command.xml HTTP/1.1
> User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
> Host: 192.168.1.3
> Accept: */*
> Content-Type: text/xml
> Content-Length: 149
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Thu, 30 Sep 2010 21:10:07 GMT
Date: Thu, 30 Sep 2010 21:10:07 GMT
< Server:
Server:
< Connection: close
Connection: close
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Content-Type: text/xml
Content-Type: text/xml

<

Ok
0
00:23:6c:90:05:11
cjoseph
authenticated
Wireless
1
00:1a:1e:c0:24:0a
00:00:03
authenticated
CatchMe
00:1a:1e:82:40:b2
a
Wireless
2077
502912
1956
941817

* Closing connection #0
* SSLv3, TLS alert, Client hello (1):


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: API to blacklist and/or kick auth'd user offline

Unfortunately, we're not getting that kind of response. We've verified that the user is logged in via the GUI, but we cannot get output similar to yours. We're running 3.4.2.5. Maybe we need to enable some other config option or maybe our code doesn't have this ability? Thanks again for your help.... below is our output


$ curl -vikd "xml=
> > emsmith
> > RADIUSkey
> > cleartext
> > 1.0
> >
" -H "Content-Type: text/xml" https://172.18.252.9/auth/command.xml
* About to connect() to 172.18.252.9 port 443
* Trying 172.18.252.9... connected
* Connected to 172.18.252.9 (172.18.252.9) port 443
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server key exchange (12):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using EDH-RSA-DES-CBC3-SHA
* Server certificate:
* subject: /C=US/O=securelogin.arubanetworks.com/OU=businessprofile.geotrust.com/get.jsp?GT28470348/OU=See www.geotrust.com/resources/cps (c)06/OU=Domain Control Validated - QuickSSL Premium(R)/CN=securelogin.arubanetworks.com
* start date: 2006-06-30 00:23:28 GMT
* expire date: 2011-06-30 00:23:28 GMT
* common name: securelogin.arubanetworks.com (does not match '172.18.252.9')
* issuer: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
* SSL certificate verify ok.
> > POST /auth/command.xml HTTP/1.1
> > User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> > Host: 172.18.252.9
> > Accept: */*
> > Content-Type: text/xml
> > Content-Length: 149
> >
> > xml=
> > emsmith
> > omegapidurr
> > cleartext
> > 1.0
> >
HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Thu, 07 Oct 2010 15:50:52 GMT
Date: Thu, 07 Oct 2010 15:50:52 GMT
< Server:
Server:
< Content-Length: 91
Content-Length: 91
< Connection: close
Connection: close
< Content-Type: text/xml
Content-Type: text/xml


Error
1
unknown user

* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
Guru Elite

Certain

If you are certain that user is logged in to the physical controller that you are querying, please open a case. That should work....


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: