Security

Reply
New Contributor

ClearPass API between clusters

I am trying to leverage the ClearPass APIs to update endpoints on a separate ClearPass cluster.  I am able to issue the API request using API explorer or even from my system's command line using curl.

 

I setup the configuration in the following way, please let me know if I'm missing something.

  1. Create an API client under ClearPass Guest -> Administration -> API Services -> API Clients
    1. Setup grant type to client credentials
  2. Create Endpoint Context Server (Generic HTTP)
    1. Use Client Id and Secret from previous step
    2. OAuth2 Resource URL /api/oauth
  3. Create Endpoint Context Server Action
    1. Reference Server from step 2
    2. Configure HTTP Method, URL, Headers and Content based on infromation from API Explorer
  4. Create an Enforcement Profile (HTTP)
    1. Target Server from step 2
    2. Action from step 3
  5. Create Enforcement Policy Rule applying enforcement profile created in step 4

Looking in access tracker the enforcement profile I created is being triggered, however I never see the API request being made on the other system.  I can validate the server in step 2 sucessfully, and I see a log message in the application log that a access token was created when I validate.  Also took a packet capture and I do not see any tcp/443 traffic between the two systems.

 

Any help would be appreciated.

Guru Elite

Re: ClearPass API between clusters

Did you try to trigger it manually from access tracker or endpoints?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: ClearPass API between clusters

I wanted to start simple so my API call right now is just updating the description of an endpoint on another Clearpass instance.

 

I can trigger it from access tracker or endpoints and it works as expected.  However when I create a rule in my enforcement policy to call the action from an enforcement profile, nothing happnes.  Access tracker makes it look like it is, but if I look at the application log no API is made.

 

Screen Shot 2018-05-29 at 11.37.01 PM.png

Guru Elite

Re: ClearPass API between clusters

Does the payload contain the client IP or other session information?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: ClearPass API between clusters

No the payload to update a description is basically just a string.

 

Here are screenshots from my endpoint context server configuration.

Screen Shot 2018-05-30 at 4.05.10 PM.pngScreen Shot 2018-05-30 at 4.05.15 PM.pngScreen Shot 2018-05-30 at 4.05.22 PM.png

 

Screen Shot 2018-05-30 at 4.05.29 PM.png

Guru Elite

Re: ClearPass API between clusters

Weird, should be working. Best to work with TAC so they can watch in real time.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: ClearPass API between clusters

I already have a TAC case open, awaiting feedback.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: