Security

Reply
Occasional Contributor I
Posts: 7
Registered: ‎12-12-2008

Clearpass API and XML Calls

I'm trying to perform an API call to our Clearpass server to move users into roles based on the attribute "Disabled Reason". For example if "Disabled Reason" equals "RIAA" I would like to move them into the RIAA role where we would present the user with a splash page explaining the process that they must follow to re-establish service.

 

I have a call that works for moving the users status from "Known" to "Disabled" but need to expand on that to use the endpoint attributes. The working call is as follows:

 

<TipsApiRequest xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader version="3.0"/>
<Endpoints>
<Endpoint status="Unknown" macAddress="a088b4764054"/>
</Endpoints>
</TipsApiRequest>'

 

I exported one of the endpoints that I had manually configured RIAA as the Disabled Reason and got this:

 

-<TipsContents>

<TipsHeader exportTime="Wed Aug 28 22:55:18 CDT 2013" version="6.2"/>

<Endpoints>

<Endpoint macAddress="1040f350d9d2" status="Unknown">

<EndpointTags tagName="Disabled Reason" tagValue="RIAA"/>

</Endpoint>

</Endpoints>

<TagDictionaries>

<TagDictionary allowMultiple="true" mandatory="false" dataType="String" attributeName="Disabled Reason" entityName="Endpoint"/>

</TagDictionaries>

</TipsContents>

 

Any ideas on how this call should be constructed?

 

Thanks,

 

David

Aruba
Posts: 113
Registered: ‎11-21-2011

Re: Clearpass API and XML Calls

I think you are asking: how to set an endpoint attribute through the API?

 

You should be able to do this using the same format returned when you read the endpoint.  There's no need to include the tag dictionary, though.

 

Try something like this:

 

<TipsApiRequest xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader version="3.0"/>
  <Endpoints>
    <Endpoint status="Unknown" macAddress="a088b4764054">

      <EndpointTags tagName="Disabled Reason" tagValue="RIAA"/>

    </Endpoint>
  </Endpoints>
</TipsApiRequest>

 

Occasional Contributor I
Posts: 7
Registered: ‎12-12-2008

Re: Clearpass API and XML Calls

Thank you amigodave...that worked great. 

 

So now I can structure the call to update the status from "Disabled" to "Known" but how do I go about deleting the "Reason Disabled" attribute from the end point? 

Occasional Contributor I
Posts: 7
Registered: ‎12-12-2008

Re: Clearpass API and XML Calls

Does the following sound like a reasonable approach?

 

1) Move the user via API call to "Disabled" and reason for Disabled = RIAA. This allows me to move the device to the RIAA role.

2) Once the user meets University policy to re-enable network access move the device from "Disabled" to "Unknown". This clears the RIAA attribute from the endpoint.

3) Once the user connects their device to the network Clearpass moves them from "Unknown" to "Known" and we start again...

 

If that sounds reasonable then I'm all good.

 

Thanks,

 

David 

Aruba
Posts: 113
Registered: ‎11-21-2011

Re: Clearpass API and XML Calls

When writing the endpoint, I believe all the tags that are specified in the API call will replace all of the tags that are stored with the endpoint.

 

That means:

 

  • To delete an attribute, don't send it when you update the endpoint
  • To keep an attribute, send it unmodified when you update the endpoint
  • To modify an attribute, send the new value when you update the endpoint
  • To add a new attribute, include it when you update the endpoint

Your approach sounds like it would work provided you don't have policy that prevents unknown endpoints from accessing the network.

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Clearpass API and XML Calls

Is there a way to specify in the call the "action". We have been looking at using XML API calls to add information to the endpoint database, but we need a "merge" or "add" action that doesn't replace existing attributes (other than the ones specified).

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 113
Registered: ‎11-21-2011

Re: Clearpass API and XML Calls

Unfortunately, the "write" action is the only one available at present, and it performs a destructive replace.  Use the algorithm outlined above to merge or modify.

 

Regular Contributor I
Posts: 180
Registered: ‎12-17-2008

Re: Clearpass API and XML Calls

Can anyone recommend a tool/library for making API calls to clearpass.

My goal is simple to update the password on a guest user on a routine basis.

I have a background in scripting but have never had to work with an XML API so just figuring out where to start. Ideally a linux based tool, if not what is the MS option?


--
ACMA ACMP
Moderator
Posts: 484
Registered: ‎11-09-2012

Re: Clearpass API and XML Calls

Please take a look our our API Guide.....

 

ClearPass API Technical Document

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor I
Posts: 180
Registered: ‎12-17-2008

Re: Clearpass API and XML Calls

I read this document before posting. 

 

There is no mention of a tool or library that can be used for making the API calls.

 


--
ACMA ACMP
Search Airheads
Showing results for 
Search instead for 
Did you mean: