Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Guest API Limitations

This thread has been viewed 6 times
  • 1.  ClearPass Guest API Limitations

    Posted Jun 24, 2019 09:06 PM

    I am trying to integrate our ClearPass system with a visitor sign-in system that allows API POST and GET webhooks and am running into a couple of issues.

     

    1. When sending the POST API call to create a guest account, the "expire_time" cannot be populated using the webhook so I am trying to use the "expire_after" field with a value of 24, but this doesn't seem to change anything and the account is still set to never expire. The only alternative I have found is it use the "expire_postlogin" with a value of "1440" but this only works once the user signs-in to our guest Wi-Fi. Is there a way to get the "expire_after" to work?

     

    2. The "password" field has to be used and populated which doesn't allow for a random password to be generated, even though I have configured the settings in Guest Configuration. Is there a way around this?

     

    3. Due to the fact that our visitor sign-in system does not allow for other API methods except POST and GET I cannot reactivate an account that uses the same username (i.e. the visitors email address) because using the POST command I get the error message "The username is already in use". Is there a way to tell ClearPass to re-enable an account if it receives a POST API call?

     

    Any support would be appreciated.

     

    For reference, the current API call I am using is like:

    {
    "do_expire": 4,
    "email": [email],
    "username": [email],
    "enabled": true,
    "role_id": 2,
    "sponsor_name": "WhosOnLocation",
    "password": "1234567890",
    "expire_postlogin": "1440",
    "visitor_name": [name],
    "visitor_phone": [mobile],
    "simultaneous_use": 1,
    "expired_notify_status": 0,
    "auto_send_smtp": 0,
    "auto_send_sms": 0
    }


    #Meridian
    #ArubaSensor
    #ArubaBeacons
    #LocationServices
    #ALE


  • 2.  RE: ClearPass Guest API Limitations

    Posted Jun 25, 2019 12:09 PM

    1) expire_time is an epoch timestamp and is accepted via the REST API

     

    2) There is an API that will generate a random password. This can then be passed in the payload for guest user

     

    3) Correct. This is a RESTful API. Any change to an attribute of an entity must use PATCH.

     

     

    Here is a sample working payload:

     

    {
      "do_expire": 1,
      "email": "test@airheads.community",
      "username": "test@airheadscommunity",
      "enabled": true,
      "expire_time": "1561579442",
      "password": "abc123",
      "role_id": 2,
      "simultaneous_use": 0,
      "visitor_company": "Testing Co",
      "visitor_name": "Just a Test"
    }


  • 3.  RE: ClearPass Guest API Limitations

    Posted Jun 25, 2019 06:23 PM

    Hi cappalli,

     

    Thank you for responding. Unfortunately, my questions weren't answered.

     

    1. I know that the "expire_time" is in epoch/Unix time format. The system I am sending the API POST from cannot send this to the ClearPass system as it cannot do that math of adding 24 hours to the creation time. I am trying to use the "expire_after" variable so ClearPass can automatically populate the "expire_time" field.

     

    2. With the system that is sending the API POST command I cannot run the "random_password" API call to then pass onto the next POST command.

     

    3. Can ClearPass not handle reactivating an account if a POST API call is made using the same username? I have read the "Business Logic for Account Creation" techdoc but nothing in that document works.

    https://www.arubanetworks.com/techdocs/ClearPass/6.8/Guest/Default.htm#Configuration/BusinessLogicForAccountCreation.htm%3FTocPath%3DConfiguration%7CConfiguring%2520Guest%2520Manager%7C_____3



  • 4.  RE: ClearPass Guest API Limitations

    Posted Jun 25, 2019 06:26 PM
    No this is not possible via the API
    Correct. You’d need to find a way to generate a password
    POST is used to create an entity. You can’t create an entity that already exists. This is standard CRUD operations.


    Please also remember that a REST API doesn’t mean it is a webhook consumer.