Security

Reply
New Contributor
Posts: 3
Registered: ‎05-26-2016

Clearpass REST API 6.5 usage

Hello,

 

I'm trying to use the XML API to update a StaticHostList, and running into an error that I'm not sure how to interpret.  Here's the initial Request, retrieved using "https://clearpass/tipsapi/config/read/StaticHostList":

<TipsApiResponse xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Thu May 26 16:59:31 PDT 2016" version="6.5"/>
  <StatusCode>Success</StatusCode>
  <StaticHostLists>
    <StaticHostList description="MAC Addresses of devices violating security policy or other" name="quarantined devices" memberType="MACAddress" memberFormat="list" members="01:23:45:67:89:ab"/>
    <StaticHostList description="" name="test" memberType="MACAddress" memberFormat="list" members="12:34:56:78:90:ab, 00:11:22:33:44:55, aa:bb:cc:dd:ee:ff"/>
  </StaticHostLists>
</TipsApiResponse>

So, then I manipulate the StaticHostList entry that matches the name "test", to remove one of the entries.  When that's done, I post the following to "https://clearpass/tipsapi/config/write/StaticHostList":

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsApiRequest xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader version="6.5"/>
<StaticHostLists>
<StaticHostList xmlns="http://www.avendasys.com/tipsapiDefs/1.0" description="" name="test" memberType="MACAddress" memberFormat="list" members="12:34:56:78:90:ab, aa:bb:cc:dd:ee:ff"/>
</StaticHostLists>
</TipsApiRequest>

But, this throws an error:

<TipsApiResponse xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Thu May 26 16:59:32 PDT 2016" version="6.5"/>
  <StatusCode>Failure</StatusCode>
  <TipsApiError>
    <ErrorCode>InvalidXml</ErrorCode>
    <Message>Error at: [lineNumber: 6, columnNumber: 19]</Message>
    <Message> Element 'StaticHostLists' cannot have character [children], because the type's content type is element-only.</Message>
  </TipsApiError>
</TipsApiResponse>

Can someone help me properly form this POST to remove the entry?  I understand from an old post I found that elements like StaticHostList were such that you have to replace the entire entry.  But, that code was using version 3.0.  I've tried to consult the docs, but there aren't any relevent examples.  The XML I'm posting is virtually the same as what I understand the format is if I were to upload an XML through the GUI.

 

Thanks

Moderator
Posts: 470
Registered: ‎11-09-2012

Re: Clearpass REST API 6.5 usage

Can I suggest that it will be a better investment of your time and easier to implement and support if you do this through the RESTful API's. Find the interface at https://IP@/api-docs/   or https://IP@/api-docs/Identity-v1

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
New Contributor
Posts: 3
Registered: ‎05-26-2016

Re: Clearpass REST API 6.5 usage

Um, I wish.  I found those docs, but they don't seem to cover the case of updating a StaticHostList.  If you can point me to the doc that's more specific to StaticHostLists, I'd appreciate it.

Aruba Employee
Posts: 398
Registered: ‎11-04-2011

Re: Clearpass REST API 6.5 usage

If you can upgrade to ClearPass 6.6, the StaticHostList management has been added in that version:

2016-06-06 09_17_39-API Explorer - Identity-v1.png

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
New Contributor
Posts: 3
Registered: ‎05-26-2016

Re: Clearpass REST API 6.5 usage

We were finally able to upgrade.  I'm getting close to having this figured out, but I think I'm missing a step.  In the PDF at https://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/20924/1/Using%20the%20ClearPass%20HTTP%20APIs.pdf I'm trying to follow the steps to use the "client_credentials" grant_type.  I have a python script that can get an access token now.  I've updated the header to include the "Authorization: Bearer <token>" and "Accept: application/json" bits, and I can get the /api/oauth/privileges output, but when trying to get https://url/api/static-host-list I get Access Denied.  Step 3 of the document says to create a local user, but nothing else I'm reading says to send anymore credentials other than the new header.  Here's some snippets:

 

1. The initial post to get a token:

#!/usr/local/bin/python2.7

import requests
import json
import sys
import time

url = 'https://myclearpassserver';

s = requests.Session()

payload = {"grant_type": "client_credentials", "client_id": "myapi_access", "client_secret": "the-secret"}
s.headers.update ({"Content-Type": "application/json"})

response = s.post(url + '/api/oauth', verify=True, json=payload)

x = json.loads(response.content)

token = x['access_token']

s.headers.update ({"Authorization": "Bearer " + token, "Accept": "application/json"})

getStaticHostList = s.get(url + '/api/static-host-list', verify=True)

 When I print getStaticHostList.content, I get:

 

{"type":"http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html","title":"Forbidden","status":403,"detail":"Access denied"}

 

The printed header looks OK:

{'Accept': 'application/json', 'Connection': 'keep-alive', 'Accept-Encoding': 'gzip, deflate', 'Authorization': u'Bearer somelongtokenstring', 'User-Agent': 'python-requests/2.7.0 CPython/2.7.10 Linux/2.6.32-642.el6.x86_64'}

 

Any suggestions?

Search Airheads
Showing results for 
Search instead for 
Did you mean: