05-31-2016 10:18 AM
I'm getting started with Airwave API and I would like to manage RAP users via the Airwave API.
I'm able to get a valid auth token by using curl and visiting /LOGIN and I can get stats by visiting /amp_stats.xml as well as ap_list.xml...
Successfully log in and get a token:
curl -k -c ./cjar -d "credential_0=USERNAME" -d "credential_1=PASSWORD" -d "destination=/" -d "login=Log In" https://airwave-hostname/LOGIN
Successfully query stats:
curl -vvvv -k -b ./cjar "https://airwave-hostname/amp_stats.xml 2>/dev/null
But user-related requests (shown below) are all met with a 403 error, which is most confusing because I can query stats from the above stats URL before and after getting the 403, which suggests I have a valid login token. It's as if there is a separate authentication required for the user operations... is there?
Fail to get all users - response: "403 Session expired; please log in again":
curl -vvvv -k -b ./cjar -vikd 'xml=<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?> <guest_user_api:get_all version="1"></guest_user_api:get_all>' -H "https://airwave-hostname/guest_user_api"
Fail to look up a given user - response: "403 Session expired; please log in again":
curl -vvvv -k -b ./cjar -vikd 'xml=<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?><guest_user_api:get version="1" xmlns:guest_user_api="http://www.airwave.com"><use
rname>A_VALID_USERNAME</username></guest_user_api: get>' https://airwave-host/guest_user_api
What am I missing?
05-31-2016 10:42 AM
Enable/disable of individual RAP units
In an environment with many RAPs, and many controllers... I'm assuming Airwave is the one-stop-shop for doing this sort of management.
06-01-2016 11:37 AM
Clearpass is not used in this environment - we are managing users in Radius. Does that answer your question?
Tying this back to my original question, are you thinking there could be an underlying dependency on Clearpass?
06-01-2016 11:50 AM
Okay. I thought you wanted to manage the remote access points that users connect to in radius. I thought you wanted to possibly disable the remote access points in general. ClearPass could be used as a whitelist for remote access points and there is an API where you could disable them there. That is what I thought you were talking about.
You are looking to disable the users that connect to those access points? Is that typically after you have already disabled their accounts in AD, or are you looking to do something different?
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
06-10-2016 06:10 AM
Thank you to the helpful support staff.
As it turns out, I was missing the X-BISCOTTI header which gets set during /LOGIN and must be carried through to all requests made using that authorization.
curl -k -D ./hjar -c ./cjar -d "credential_0=USERNAME" -d "credential_1=PASSWORD" -d "destination=/" -d "login=Log In" https://$AIRWAVE_HOST/LOGIN if [ "$BISCOTTI_HEADER" = "" ] ; then BISCOTTI_HEADER="$(grep X-BISCOTTI ./hjar)" fi curl -k -b ./cjar -k --header "$BISCOTTI_HEADER" "https://$AIRWAVE_HOST/ap_list.xml" > ./ap_list.xml