Wireless Access

I'm getting started with Airwave API and I would like to manage RAP users via the Airwave API.

I'm able to get a valid auth token by using curl and visiting /LOGIN and I can get stats by visiting /amp_stats.xml as well as ap_list.xml...

Successfully log in and get a token:

curl -k -c ./cjar -d "credential_0=USERNAME" -d "credential_1=PASSWORD" -d "destination=/" -d "login=Log In" https://airwave-hostname/LOGIN

Successfully query stats:

curl -vvvv -k -b ./cjar "https://airwave-hostname/amp_stats.xml 2>/dev/null

But user-related requests (shown below) are all met with a 403 error, which is most confusing because I can query stats from the above stats URL before and after getting the 403, which suggests I have a valid login token. It's as if there is a separate authentication required for the user operations... is there?

Fail to get all users - response: "403 Session expired; please log in again":

curl -vvvv -k -b ./cjar -vikd 'xml=<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?> <guest_user_api:get_all version="1"></guest_user_api:get_all>' -H "https://airwave-hostname/guest_user_api"

Fail to look up a given user - response: "403 Session expired; please log in again":

curl -vvvv -k -b ./cjar -vikd 'xml=<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?><guest_user_api:get version="1" xmlns:guest_user_api="http://www.airwave.com"><username>A_VALID_USERNAME</username></guest_user_api:get>' https://airwave-host/guest_user_api

What am I missing?

Thanks

Enable/disable of individual RAP units

In an environment with many RAPs, and many controllers... I'm assuming Airwave is the one-stop-shop for doing this sort of management.

arubatriangle do you have ClearPass?

Clearpass is not used in this environment - we are managing users in Radius. Does that answer your question?

Tying this back to my original question, are you thinking there could be an underlying dependency on Clearpass?

Okay.  I thought you wanted to manage the remote access points that users connect to in radius.  I thought you wanted to possibly disable the remote access points in general.  ClearPass could be used as a whitelist for remote access points and there is an API where you could disable them there.  That is what I thought you were talking about.

You are looking to disable the users that connect to those access points?  Is that typically after you have already disabled their accounts in AD, or are you looking to do something different? 

I actually want to target the device itself, and disable it (turn off radio, turn off ports, render it unusable by anybody on premasis but still centrally manageable).

I have opened support case #1892152.

Thank you to the helpful support staff.

As it turns out, I was missing the X-BISCOTTI header which gets set during /LOGIN and must be carried through to all requests made using that authorization.

Sample:

curl -k -D ./hjar -c ./cjar -d "credential_0=USERNAME" -d "credential_1=PASSWORD" -d "destination=/" -d "login=Log In" https://$AIRWAVE_HOST/LOGIN

if [ "$BISCOTTI_HEADER" = "" ] ; then
        BISCOTTI_HEADER="$(grep X-BISCOTTI ./hjar)"
fi

curl -k -b ./cjar -k --header "$BISCOTTI_HEADER" "https://$AIRWAVE_HOST/ap_list.xml" > ./ap_list.xml