Security

last person joined: 11 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Using REST API to do a CoA?

Jump to Best Answer
  • 1.  Using REST API to do a CoA?

    Posted Oct 26, 2017 04:46 AM

    The REST API seems easy enough to get working (with the Clearpass REST APIs technote that is) but where the old API was pretty straightforward to do a CoA (basically a single 'command' referencing the MAC address and the COA enforcement profile) this isn't as clear with the new /api-docs interface.

     

    Has anyone done a CoA yet with the REST API?

    Or should I save myself the trouble and just use the old way? Any reasons to not use the old way?



  • 2.  RE: Using REST API to do a CoA?

    Posted Oct 26, 2017 06:10 AM

    I was able to do it by:

    Find the ActiveSession for the MAC address in question (/api/session/)

    Then use ActiveSessionDisconnect (/api/session/<sessionID>/disconnect)

     

    Hope this helps point you in the right direction.



  • 3.  RE: Using REST API to do a CoA?

    Posted Oct 26, 2017 08:21 AM

    @wifidownunder wrote:

    I was able to do it by:

    Find the ActiveSession for the MAC address in question (/api/session/)

    Then use ActiveSessionDisconnect (/api/session/<sessionID>/disconnect)

     

    Hope this helps point you in the right direction.


     

    Thanks. I found that too, but can't get it to work. Guess I was also hoping for something a little more streamlined like the old API.

     

    The old API I have working by pushing a CoA with a mac-address and the new role in one API call.

     

    With the new API I have to...

    - look up the sessionid for a mac -address (among a list of all his sessionids')

    - push a reauth profile that changrs the roll of the active session

     

    My problems with this:

    - looking up the session I can't seem to filter on {"acctstoptime": null} to get only the active sessionid. I get a "detail": "Parameter validation failed" 

    - when I try a simple /session/{id}/disconnect, I get a 400 Bad Request error:

     

    {
      "result": {
        "error": 1,
        "message": "{\"content\": {\"cnc_actions\": [{\"status_message\": \"Query - No MAC address record found\", \"id\": 1}]}, \"id\": \"R00000026-01-59f1ade9\", \"name\": \"cnc_response\"}"
      },
      "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
      "title": "Bad Request",
      "status": 400,
      "detail": "Error disconnecting session for user 002682d2427e. Please check ClearPass Policy Manager > Monitoring > Live Monitoring > Access Tracker for more details."
    }

    - when I try to request the possible Coa

     

     

    {
      "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
      "title": "Bad Request",
      "status": 400,
      "detail": "No applicable CoA templates found"
    }

    - when I try to push [Aruba Terminate Session] as the reauthorize_profile, I also get a 400 Bad Request

     

     

     

    {
      "result": {
        "error": 1,
        "message": "Session reauth failed (0). Please check ClearPass Policy Manager > Monitoring > Live Monitoring > Access Tracker for more details"
      },
      "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
      "title": "Bad Request",
      "status": 400,
      "detail": "Error reauthorizing session for user 002682d2427e. Please check ClearPass Policy Manager > Monitoring > Live Monitoring > Access Tracker for more details."
    }

     

    You will understand I'm starting to lean towards giving up on the REST API and simply using the good old stuff :)



  • 4.  RE: Using REST API to do a CoA?

    Posted Oct 26, 2017 08:41 AM
    I suggest you open a TAC case , I been having issues getting API CoA to work.

    I didn’t get a chance to open a case.

    Get Outlook for iOS


  • 5.  RE: Using REST API to do a CoA?
    Best Answer

    Posted Oct 26, 2017 10:55 AM

    Got it to work with some help fom Tim Cappalli. Thanks Tim!

    Works as explained by wifidownunder. Here's some more detail.

     

    STEP 1

    First find the active session

     ActiveSession 

    GET /session

    filter for the active session of a certain mac address:

     

    {"mac_address": "002682d2427e","acctstoptime": {"$exists":false}}

     This gives you the sessionid of the active session for said mac address.

     

    STEP 2

    Use this sessionid to

    - either terminate the session:

     

     ActiveSessionDisconnect

    POST /session/{id}/disconnect

    body:

     

    {
      "confirm_disconnect": true
    }

     

     - or find available coa profiles (if not the correct response here, that indicates : is feedback for the back-end something is wrong)

    ActiveSessionReauthorize

    GET /session/{id}/reauthorize

     

    STEP 3

    push a new user-role:

    ActiveSessionReauthorize

    POST /session/{id}/reauthorize

    body:

    {
      "confirm_reauthorize": true,
      "reauthorize_profile": "Aruba CoA user-role authenticated"
    }

     

    My issue with "detail": "No applicable CoA templates found" was because for unknow reasons tha csession didn't allow CoA. kicking the client of and having it reconnect resolved the issue.

    Step 2 makes sure that someone in the backend knows something went wrong.. pretty important, so don't skip on it.

     

    And if you are wondering (like me) how the heck you are supposed to figure out the {"$exists":false} for example.

    Try clicking on "More about JSON filter expressions", and you'll get the following.

    A filter is specified as a JSON object, where the properties of the object specify the type of query to be performed.
    
    Description	JSON Filter Syntax
    No filter, matches everything	{}
    Field is equal to "value"	{"fieldName":"value"}
    {"fieldName":{"$eq":"value"}}
    Field is one of a list of values	{"fieldName":["value1", "value2"]}
    {"fieldName":{"$in":["value1", "value2"]}}
    Field is not one of a list of values	{"fieldName":{"$nin":["value1", "value2"]}}
    Field contains a substring "value"	{"fieldName":{"$contains":"value"}}
    Field is not equal to "value"	{"fieldName":{"$ne":"value"}}
    Field is greater than "value"	{"fieldName":{"$gt":"value"}}
    Field is greater than or equal to "value"	{"fieldName":{"$gte":"value"}}
    Field is less than "value"	{"fieldName":{"$lt":"value"}}
    Field is less than or equal to "value"	{"fieldName":{"$lte":"value"}}
    Field matches a regular expression (case-sensitive)	{"fieldName":{"$regex":"regex"}}
    Field matches a regular expression (case-insensitive)	{"fieldName":{"$regex":"regex", "$options":"i"}}
    Field exists (does not contain a null value)	{"fieldName":{"$exists":true}}
    Field is NULL	{"fieldName":{"$exists":false}}
    Combining filter expressions with AND	{"$and":[ filter1, filter2, ... ]}
    Combining filter expressions with OR	{"$or":[ filter1, filter2, ... ]}
    Inverting a filter expression	{"$not":{ filter }}
    Field is greater than or equal to 2 and less than 5	{"fieldName":{"$gte":2, "$lt":5}}
    {"$and":[ {"fieldName":{"$gte":2}}, {"fieldName":{"$lt":5}} ]}