Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass API push role mapping

This thread has been viewed 34 times

  • 1.  Clearpass API push role mapping

    Posted Jan 18, 2022 08:55 AM
    Hey,

    I'm using the CPPM API in order to push role mapping into ClearPass.
    I've come across 2 issues with the role mappings pushing API:
    1. Pusing multiple rules into the same role mapping only pushes the last rule:
    NAME = 'testest'
DESCRIPTION = 'Test111'
DEFAULT_ROLE_NAME = '[Guest]'
RULE_COMBINE_ALGO = 'evaluate-all'

rules = [{'match_type': 'OR',
      'role_name': '[Employee]',
      'condition': [{'type': 'Authorization:[Endpoints Repository]',
        'name': 'MAC Vendor',
        'oper': 'EQUALS',
        'value': 'Intel Corporate',
        'value_disp_name': 'Intel Corporate'},
       {'type': 'Authorization:[Endpoints Repository]',
        'name': 'MAC Vendor',
        'oper': 'EQUALS',
        'value': 'HP Inc.',
        'value_disp_name': 'HP Inc.'}]}]

role_mapping_data = {
    'name': NAME,
    'description': DESCRIPTION,
    'default_role_name': DEFAULT_ROLE_NAME,
    'ruleCombineAlgo': RULE_COMBINE_ALGO,
    'rules': rules
}

requests.post(BASE_URL + '/api/role-mapping', headers = {'Accept': 'application/json',
                                             'Content-Type': 'application/json' ,'Authorization': 'Bearer {}'.format(token)},
              data=json.dumps(role_mapping_data), verify = False).json()
    This is the result:
    {'id': 3008,
 'name': 'testest',
 'description': 'Test111',
 'default_role_name': '[Guest]',
 'ruleCombineAlgo': 'evaluate-all',
 'rules': [{'match_type': 'OR',
   'role_name': '[Employee]',
   'condition': [{'type': 'Authorization:[Endpoints Repository]',
     'name': 'MAC Vendor',
     'oper': 'EQUALS',
     'value': 'HP Inc.',
     'value_disp_name': 'HP Inc.'}]}],
 '_links': {'self': {'href': 'https://test/api/role-mapping/3008'}}}
​

    2. I noticed when trying to push attributes that weren't populated yet I get an error, for example - 
    [{'match_type': 'OR',
      'role_name': '[Employee]',
      'condition': [
          {'type': 'Endpoint',
        'name': 'Manufacturer',
        'oper': 'EQUALS',
        'value': 'abcde',
        'value_disp_name': 'abcde'}]}]​
    Results in:
    {'validation_messages': ['Invalid Value display name specified'],
 'type': 'http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html',
 'title': 'Unprocessable Entity',
 'status': 422,
 'detail': 'Invalid Value display name specified'}
​


    please tell me if there's something I'm not doing correctly or there's another possibility to achieve my goal.

    Thank you in advance,
    Dolev



    ------------------------------
    Dolev Hasid
    ------------------------------


  • 2.  RE: Clearpass API push role mapping

    MVP GURU
    Posted Jan 18, 2022 11:55 AM
    Hi,

    Look good...

    What do you have to compare if you get a existing role mapping with multiple entry ?

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCL: Powershell Module to use Aruba Central

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------

    Original Message


  • 3.  RE: Clearpass API push role mapping

    Posted Jan 19, 2022 02:31 AM
    Hey, Thank you!
    This is the role mapping I get from pulling the one I created on the GUI:
        'id': 3006,
    'name': 'Test',
    'description': 'Test test',
    'default_role_name': '[Guest]',
    'ruleCombineAlgo': 'first-applicable',
    'rules': [{'match_type': 'or',
      'role_name': '[Employee]',
      'condition': [{'type': 'Authorization:[Endpoints Repository]',
        'name': 'MAC Vendor',
        'oper': 'EQUALS',
        'value': 'Intel Corporate',
        'value_disp_name': 'Intel Corporate'},
       {'type': 'Authorization:[Endpoints Repository]',
        'name': 'MAC Vendor',
        'oper': 'EQUALS',
        'value': 'HP Inc.',
        'value_disp_name': 'HP Inc.'}]}]​


    ------------------------------
    Dolev Hasid
    ------------------------------

    Original Message


  • 4.  RE: Clearpass API push role mapping

    MVP GURU
    Posted Jan 19, 2022 03:24 AM
    Hi,

    and if you try to push the json on CPPM, it is working ?

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCL: Powershell Module to use Aruba Central

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------

    Original Message


  • 5.  RE: Clearpass API push role mapping

    Posted Jan 19, 2022 03:51 AM
    Hey,
    I think I can only push XML through the GUI. Pushing an XML works. This is what I get when I try to push JSON - 

    Thank you for your help!

    ------------------------------
    Dolev Hasid
    ------------------------------

    Original Message


  • 6.  RE: Clearpass API push role mapping

    MVP GURU
    Posted Jan 19, 2022 04:52 AM
    if you push json with your python script ?

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCL: Powershell Module to use Aruba Central

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------

    Original Message


  • 7.  RE: Clearpass API push role mapping

    Posted Jan 19, 2022 04:56 AM
    That's exactly what I tried to do in the original topic, and it created only the last condition. Even if I try to push multiple rules with multiple conditions, it takes the last rule and the last condition of this rule.

    ------------------------------
    Dolev Hasid
    ------------------------------

    Original Message