Wireless Access

Reply
Contributor I

Controller XML-API Blacklist User

I'm looking to use the controll XML-API to blacklist a device based on MAC address. The documentation states IP address is required when blacklisting a user, but that doesn't jive with the CLI command (stm add-blacklist-client [MAC]). Blacklisting via IP address won't work for us as there are instances a client will not be connected and thus not have an IP address. How can I blacklist a MAC address via API?

Guru Elite

Re: Controller XML-API Blacklist User

Unfortunately, the ip address is required and won't work without it.  http://www.arubanetworks.com/techdocs/ArubaOS_81_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/XML_API/XML_Request.htm%3FTocPath%3DArubaOS%2520User%2520Guide%7CExternal%2520User%2520Management%7C_____3



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Controller XML-API Blacklist User

hi codemode

 

You have a few alternative options. One is to use the syslog parser (see ESI Syslog parser in the docs). It has the ability to blacklist based on mac, as long as you can format a 'syslog' message to send to the controller - not any more work than setting up an xml message. This is the only option in this post that would be considered to be 'supported'.

 

The second, which is a bit more advanced, is to use a libCURL based script to authenticate to the same interface that the controller webUI uses and inject the CLI command as the webUI would.

 

The third, which is not recommended for live systems, is to interact with the CLI over ssh. There are various reasons why that is not as good an idea as the above two, so I would focus on one of them instead.

 

hth.

 

Contributor I

Re: Controller XML-API Blacklist User

Can you speak more to the ESI option? I read through the docs, but I'm not a controller guy - I'm more on the Clearpass/scripting side of things.

Frequent Contributor I

Re: Controller XML-API Blacklist User

apologies for the delay, was out of office. the syslog parser will take a message like

2017-09-10  something user=xyz mac=00:11:22:33:44:55 blah

 

where the mac can be matched using something like

mac=(\S+)

 

then you can write an ESI parser rule which does

match mac "mac=(\S+)" set blacklist

 

this is a fairly simplified and incomplete example, it of course relies on the fact you have some device able to generate the actual message (in a format you desire)

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: