Security

Hi everyone ! 

is it possible to send a COA disconnect from the Clearpass API ? Same thing as in the Access Tracker would be amazing.

I've looked into documentation and Entities but I'm not sure if it's possible.

Thanks !

So you want to say execute an API call into CPPM using say the mac-address of he endpoint and trigger the CoA?

 

 

Yes, this is exactly what i'd like to do !

 

Thank you,

OK - How long can you wait... I have TechNote [Yes another Technote from me] that is like 95% complete that has a section with a python script that you can use to make calls to trigger actions in an endpoint. 

 

The script is part of a larger solution where we use SIEM's to capture malicious activity on an endpoint from sysylog feeds, then use the SIEM to trigger two API's calls to CPPM... the first marks the endpoint as 'Under Threat' the second part of the script then triggers the CoA Enforcement Profile to fire......

 

How does that sound......????

wow, sounds awesome ! this will be perfect for my API.

 

There's no rush on my side, I just created it for our security team to have access to a internal PHP page and Unauthorize device without giving them access to Clearpass. CoA disconnect was the missing part since we want the device to hit back the service with it's new "unauth" attribute :)

Looking forward to this tech-note ! Will it also be fully integrable with McAfee SIEM ? 

Thanks !

Ohhhh..... its gets better for you.... so I'm just starting a program of certification with Intel Security with their SIEM [aka Nitro if you like]....... when I say just starting I mean JUST STARTING......

 

Likely it will be a couple of months if all goes to plan... but I'd say Q2 i smore realistic. Now,. this does not stop you doing what you want today, you'll need to figure our the process as we've not even got McAfee SIEM installed yet as we're super busy with 6.6 / RSA / Atmosphere......

 

Do me a favour.... ping me in a week or so and I'll likely have the TechNote in a final Draft and I can share a copy with you...... ping me at jump@hpe.com

 

HTH.

 

 

Alright ! i'll ping you next week for sure. 3rd party integrations using APIs are just amazing, saving lot of overhead.

Thanks for your time, much appreciated !

If you have access to AFP:

 

https://arubapedia.arubanetworks.com/afp/index.php/How-To:_Clearpass_CPPM_API#CoA

 

Otherwise here's the quote from there:

 

CoA

Sending a CoA can be achieved using:

curl -k -u "<user>:<password>" -X POST https://<CPPM>/async_netd/cmdctrl/radenfprofile -d 
'{"content": {"enf_profile_name": "[Aruba Terminate Session]", "mac_address": "<macaddress without delimiters>"}, 
"id": 1, "name": "radius_enfprofile_request"}';

curl -k -u "<user>:<password>" -X POST https://<CPPM>/async_netd/cmdctrl/apply_coaprof_clntlist -d
'{"id": 1, "name": "apply_coaprof_clntlist_request", "content": {"macaddr_list" : ["<macaddress without delimiters>", "<macaddress without delimiters>"], "enf_profile_name" : "[Aruba Terminate Session]" } }'

To accomplish a CoA, follow these steps and examples:

1. Ask ClearPass “What can you do with a given MAC address” ?

Send an API request to /async_netd/cmdctrl/query - note the “query” at the end - this is how we know we’re just being asked to advertise capabilities

ashwath@mba-ashwath:/tmp$ curl -k -u 'admin:eTIPS123' -H 'Content-Type: application/json' https://10.2.50.126/async_netd/cmdctrl/query -d '{"content": {"mac_address": "98D6F769D4EA"}, "id": 1, "name": "cnc_query_request"}'

2. ClearPass Response

{"content": {"cnc_capabilities": [{"params": [{"input_required": 0, "type": "String", "name": "Calling-Station-Id", "value": "%{Radius:IETF:Calling-Station-Id}", "id": 31}], "display_name": "Terminate Session", "name": "Terminate-Session-Aruba", "cnc_type": "RADIUS"}, {"params": [{"input_required": 0, "type": "String", "name": "Calling-Station-Id", "value": "%{Radius:IETF:Calling-Station-Id}", "id": 31}, {"input_required": 0, "type": "String", "name": "Filter-Id", "value": "", "id": 11}], "display_name": "Change User Role", "name": "Change-User-Role", "cnc_type": "RADIUS"}, {"params": [{"input_required": 0, "type": "String", "name": "Calling-Station-Id", "value": "%{Radius:IETF:Calling-Station-Id}", "id": 31}], "display_name": "Terminate Session", "name": "Terminate-Session-IETF", "cnc_type": "RADIUS"}, {"params": [{"input_required": 0, "type": "IPv4Address", "name": "Framed-IP-Address", "value": "%{Connection:Client-IP-Address}", "id": 8}, {"input_required": 0, "type": "String", "name": "Filter-Id", "value": "", "id": 11}], "display_name": "Change VPN User Role", "name": "Change-VPN-User-Role", "cnc_type": "RADIUS"}, {"params": [{"input_required": 0, "type": "IPv4Address", "name": "Framed-IP-Address", "value": "%{Connection:Client-IP-Address}", "id": 8}], "display_name": "Generic Change of Authorization", "name": "Generic-CoA-IETF", "cnc_type": "RADIUS"}]}, "id": 1, "name": "cnc_query_response"}

3. Ask ClearPass to execute one of the actions returned in step #2

Send an API request to /async_netd/cmdctrl/request - note the “request” at the end - this is how we know we’re asking ClearPass to take an action

ashwath@mba-ashwath:/tmp$ curl -k -v -u 'admin:eTIPS123' -H 'Content-Type: application/json' http://10.2.50.126/async_netd/cmdctrl/request -d '{"id": 1, "name": "cnc_request", "content": {"mac_address": "B88D120EB41E", "cnc_actions" : [{"id" : 1, "name" : "Terminate-Session-Aruba", "display_name" : "Terminate Session", "type" : "RADIUS", "params" : [{"name": "Calling-Station-Id", "value":"98D6F769D4EA"}] }] } }'

4. ClearPass Response

{"content": {"cnc_actions": [{"status_message": "Radius Terminate Session successful for client B88D120EB41E", "id": 1}]}, "id": 1, "name": "cnc_response"}

This is just one sequence of events - however, it’s very indicative of how the API works.

The same can be done with usernames instead of MAC addresses. In the query request, send “username”:”bob” instead of “mac_address”:”00-11-22-33-44-55”

Thank you !! Never saw that !

Ill test thks out today and let you know the input :)

Works #1 :D

Thank you,

This TechNote is now posted........ Happy Days.....

 

You can find the document on the support site located here CPPM TechNote - Network Threat Detection with SIEM Integration V1.pdf<https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=20286>

Happy reading – go fill your boots..!!….. comments and feedback/suggestions graciously accepted.

This looks like something I'm trying to accomplish via XML - I'm trying to decipher the JSON to XML but I'm running into issues. Can someone shed some light on the appropriate XML syntax to POST to CPPM to trigger a COA on a MAC address?

 

When I execute the curl command, I don't get the same level of options via CPPM. Below is the output of the command against our Policy Manager server:

 

{"content": {"cnc_capabilities": []}, "id": 1, "name": "cnc_query_response"}

Hi,

 

I'm using the following and it works fine from Linux cURL : 

 

curl -k -u "apiadmin:your_password" -X POST https://Clearpass_IP/async_netd/cmdctrl/radenfprofile -d '{"content": {"enf_profile_name": "TEST_COA_PROFILE", "mac_address": "185e0fa841f4"}, "id": 1, "name": "radius_enfprofile_request"}';

 

This is how I do a live COA vlan derivation. I just add a VLAN derivation rule into the enforcement profile and then I apply it using this command.

 

When I execute the same command against an endpoint that is online, I get the following (mac_address is the actual address):

 

{"content": {"enf_profile_name": "TEST_COA_PROFILE", "status_message": "Query - No supported actions", "mac_address": "<mac_address>"}, "id": 1, "name": "enfprofile_response"}

Could you please post the complete command you are posting ?

curl -k -u "apiadmin:api_admin_pwd" -X POST https://clearpass_server/async_netd/cmdctrl/radenfprofile -d '{"content": {"enf_profile_name": "TEST_COA_PROFILE", "mac_address": "fcf8ae77f2fe"}, "id": 1, "name": "radius_enfprofile_request"}';

Ok, you need to replace TEST_COA_PROFILE with an existing enforcement profile in your clearpass server.

Let me know the output !

Envoyé de mon iPhone

Does your NAD device have the CoA Enabled ?

Sent from Outlook for iPhone

Of course - sorry to have missed such a simple thing!

 

When I use the enforcement profile [Aerohive - Terminate Session], the curl command works correctly and terminates the session. This is the end result I'm looking for where we need end devices who have recently changed profile or roles to reauthenticate and get the correct new roles.

 

Now that the CURL command is working (see below) is there a way to send this request via straight XML? All the other tipsAPI configuration I'm using uses XML and I'd prefer to keep it that way.

 

 

Great ! 

As far as I know, there is no way of doing this with XML. I think part of the reason is that those commands are sent to async_netd\cmdctrl instead of \tipsapi. Still i'd be interested too in knowing if there is a way to format it in XML :)

That makes sense. I can make things work with the curl command - not a deal breaker. Thanks to everyone for your help!

I have the CURL command working exactly as I need it:

 

curl -k -u "username:password" -X POST https://cppm-server/async_netd/cmdctrl/radenfprofile -d '{"content": {"enf_profile_name": "[Aerohive - Terminate Session]", "mac_address": "device_mac_address"}, "id": 1, "name": "radius_enfprofile_request"}';

Now I'm trying to get the same JSON POST working with Perl's LWP::UserAgent module. The syntax is relatively simple, but when I execute the Perl script, I'm getting a 401 Unauthorized error:

 

my $json = "{'content': {'enf_profile_name': '[Aerohive - Terminate Session]', 'mac_address': '$mac_address'}, 'id': 1, 'name': 'radius_enfprofile_request'}";
my $ua = LWP::UserAgent->new(ssl_opts -> { verify_hostname => 1 });
$ua->credentials($cppm,$realm,$username=>$password);
$response = $ua->post($cppm_url, Content-Type => 'application/json', Content => $json);
print Dumper $response;     

I have the exact same syntax above setup to use the tipsApi and it's working beautifully - the only difference if the target URL ($cppm_url), the credentials and the JSON. I'm guessing this is something Perl-specific, but I wasn't sure if anyone had any experience. Thanks again!

I've been through the ringer on this one, still no progress. I'm getting a 400 Bad Request response from the CPPM server when using the LWP UserAgent. I've tried adding addition headers to the request but I still cannot get a valid connection using Perl. Does anyone know of specific headers Curl might be sending that LWP does not, or specific headers the CPPM expectes for this POST?

Hi Danny,

Don't have access to this doc, is tere an up to date version I could have?

 

Rgds

Alex

 

This is a very old thread. The legacy APIs should not be used.

 

Use this as an example > https://github.com/aruba/clearpass-examples-only/tree/master/atm18/disconnect-compromised-device