Security

Reply
MVP
Posts: 117
Registered: ‎07-13-2015

Clearpass COA disconnect using API ?

Hi everyone ! 

is it possible to send a COA disconnect from the Clearpass API ? Same thing as in the Access Tracker would be amazing.

I've looked into documentation and Entities but I'm not sure if it's possible.

Thanks !

ACMP, ACCP, BCNE
Moderator
Posts: 472
Registered: ‎11-09-2012

Re: Clearpass COA disconnect using API ?

So you want to say execute an API call into CPPM using say the mac-address of he endpoint and trigger the CoA?

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 117
Registered: ‎07-13-2015

Re: Clearpass COA disconnect using API ?

Yes, this is exactly what i'd like to do !

 

Thank you,

ACMP, ACCP, BCNE
Moderator
Posts: 472
Registered: ‎11-09-2012

Re: Clearpass COA disconnect using API ?

OK - How long can you wait... I have TechNote [Yes another Technote from me] that is like 95% complete that has a section with a python script that you can use to make calls to trigger actions in an endpoint. 

 

The script is part of a larger solution where we use SIEM's to capture malicious activity on an endpoint from sysylog feeds, then use the SIEM to trigger two API's calls to CPPM... the first marks the endpoint as 'Under Threat' the second part of the script then triggers the CoA Enforcement Profile to fire......

 

How does that sound......????


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 117
Registered: ‎07-13-2015

Re: Clearpass COA disconnect using API ?

wow, sounds awesome ! this will be perfect for my API.

 

There's no rush on my side, I just created it for our security team to have access to a internal PHP page and Unauthorize device without giving them access to Clearpass. CoA disconnect was the missing part since we want the device to hit back the service with it's new "unauth" attribute :)

Looking forward to this tech-note ! Will it also be fully integrable with McAfee SIEM ? 

Thanks !

ACMP, ACCP, BCNE
Moderator
Posts: 472
Registered: ‎11-09-2012

Re: Clearpass COA disconnect using API ?

Ohhhh..... its gets better for you.... so I'm just starting a program of certification with Intel Security with their SIEM [aka Nitro if you like]....... when I say just starting I mean JUST STARTING......

 

Likely it will be a couple of months if all goes to plan... but I'd say Q2 i smore realistic. Now,. this does not stop you doing what you want today, you'll need to figure our the process as we've not even got McAfee SIEM installed yet as we're super busy with 6.6 / RSA / Atmosphere......

 

Do me a favour.... ping me in a week or so and I'll likely have the TechNote in a final Draft and I can share a copy with you...... ping me at jump@hpe.com

 

HTH.

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 117
Registered: ‎07-13-2015

Re: Clearpass COA disconnect using API ?

Alright ! i'll ping you next week for sure. 3rd party integrations using APIs are just amazing, saving lot of overhead.

Thanks for your time, much appreciated !

ACMP, ACCP, BCNE
MVP
Posts: 130
Registered: ‎06-11-2013

Re: Clearpass COA disconnect using API ?

If you have access to AFP:

 

https://arubapedia.arubanetworks.com/afp/index.php/How-To:_Clearpass_CPPM_API#CoA

 

Otherwise here's the quote from there:

 

CoA


Sending a CoA can be achieved using:

curl -k -u "<user>:<password>" -X POST https://<CPPM>/async_netd/cmdctrl/radenfprofile -d 
'{"content": {"enf_profile_name": "[Aruba Terminate Session]", "mac_address": "<macaddress without delimiters>"}, 
"id": 1, "name": "radius_enfprofile_request"}';
curl -k -u "<user>:<password>" -X POST https://<CPPM>/async_netd/cmdctrl/apply_coaprof_clntlist -d
'{"id": 1, "name": "apply_coaprof_clntlist_request", "content": {"macaddr_list" : ["<macaddress without delimiters>", "<macaddress without delimiters>"], "enf_profile_name" : "[Aruba Terminate Session]" } }'

To accomplish a CoA, follow these steps and examples:

1. Ask ClearPass “What can you do with a given MAC address” ?

Send an API request to /async_netd/cmdctrl/query - note the “query” at the end - this is how we know we’re just being asked to advertise capabilities

ashwath@mba-ashwath:/tmp$ curl -k -u 'admin:eTIPS123' -H 'Content-Type: application/json' https://10.2.50.126/async_netd/cmdctrl/query -d '{"content": {"mac_address": "98D6F769D4EA"}, "id": 1, "name": "cnc_query_request"}'

2. ClearPass Response

{"content": {"cnc_capabilities": [{"params": [{"input_required": 0, "type": "String", "name": "Calling-Station-Id", "value": "%{Radius:IETF:Calling-Station-Id}", "id": 31}], "display_name": "Terminate Session", "name": "Terminate-Session-Aruba", "cnc_type": "RADIUS"}, {"params": [{"input_required": 0, "type": "String", "name": "Calling-Station-Id", "value": "%{Radius:IETF:Calling-Station-Id}", "id": 31}, {"input_required": 0, "type": "String", "name": "Filter-Id", "value": "", "id": 11}], "display_name": "Change User Role", "name": "Change-User-Role", "cnc_type": "RADIUS"}, {"params": [{"input_required": 0, "type": "String", "name": "Calling-Station-Id", "value": "%{Radius:IETF:Calling-Station-Id}", "id": 31}], "display_name": "Terminate Session", "name": "Terminate-Session-IETF", "cnc_type": "RADIUS"}, {"params": [{"input_required": 0, "type": "IPv4Address", "name": "Framed-IP-Address", "value": "%{Connection:Client-IP-Address}", "id": 8}, {"input_required": 0, "type": "String", "name": "Filter-Id", "value": "", "id": 11}], "display_name": "Change VPN User Role", "name": "Change-VPN-User-Role", "cnc_type": "RADIUS"}, {"params": [{"input_required": 0, "type": "IPv4Address", "name": "Framed-IP-Address", "value": "%{Connection:Client-IP-Address}", "id": 8}], "display_name": "Generic Change of Authorization", "name": "Generic-CoA-IETF", "cnc_type": "RADIUS"}]}, "id": 1, "name": "cnc_query_response"}

3. Ask ClearPass to execute one of the actions returned in step #2

Send an API request to /async_netd/cmdctrl/request - note the “request” at the end - this is how we know we’re asking ClearPass to take an action

ashwath@mba-ashwath:/tmp$ curl -k -v -u 'admin:eTIPS123' -H 'Content-Type: application/json' http://10.2.50.126/async_netd/cmdctrl/request -d '{"id": 1, "name": "cnc_request", "content": {"mac_address": "B88D120EB41E", "cnc_actions" : [{"id" : 1, "name" : "Terminate-Session-Aruba", "display_name" : "Terminate Session", "type" : "RADIUS", "params" : [{"name": "Calling-Station-Id", "value":"98D6F769D4EA"}] }] } }'

4. ClearPass Response

{"content": {"cnc_actions": [{"status_message": "Radius Terminate Session successful for client B88D120EB41E", "id": 1}]}, "id": 1, "name": "cnc_response"}

This is just one sequence of events - however, it’s very indicative of how the API works.

The same can be done with usernames instead of MAC addresses. In the query request, send “username”:”bob” instead of “mac_address”:”00-11-22-33-44-55”


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
MVP
Posts: 117
Registered: ‎07-13-2015

Re: Clearpass COA disconnect using API ?

Thank you !! Never saw that !

Ill test thks out today and let you know the input :)
ACMP, ACCP, BCNE
MVP
Posts: 117
Registered: ‎07-13-2015

Re: Clearpass COA disconnect using API ?

Works #1 :D

Thank you,

ACMP, ACCP, BCNE
Search Airheads
Showing results for 
Search instead for 
Did you mean: