Security

 View Only

  • 1.  ClearPass API Call - DynamicAuthorization:SessionAction

    Posted Oct 15, 2020 02:42 AM

    I'm currently struggling to get the new 'DynamicAutorization:SessionAction' API call working for me. I would like to pass a client MAC to the API to bounce the given MAC on it's current connected ArubaOS switch port.

     

    In the ClearPass API explorer and 6.9.2 release notes i found following:

     

    The following new features are introduced in ClearPass Policy Manager APIs in the 6.9.2 release:

*	A new SessionAction API adds support for performing disconnect or reauthorize actions on active sessions. It includes synchronous or asynchronous action, and enhanced filters for flexibility and improved user experience. The SessionAction API directly handles both disconnect and change of authorization (CoA) actions for endpoints by either MAC address, username, or Framed-IP-Address. This API is available at Guest > Administration > API Explorer > DynamicAuthorization > SessionAction. (CP‑21159, CP‑38971, CP‑31127, CP‑38972)

     


    Source: https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.9.2/Content/WhatsNew/NewFeatures_APIs.htm

     

    I'm currently running 6.9.2 on a 8-node cluster and when trying this API call from the API explorer:

     

     

    POST /session-action/coa/mac/{mac_address}

{
"enforcement_profile": ["[ArubaOS Switching - Bounce Switch Port]"]
}

https://X.X.X.X:443/api/session-action/coa/mac/1234567890ab?async=false

     

     it results in:

     

    Response Body:
{
  "action_id": "async_action_1602743463404",
  "status": "failed",
  "count": 1,
  "count_success": 0,
  "count_failed": 0,
  "count_queue": 0,
  "_links": {
    "self": {
      "href": "https://X.X.X.X/api/session-action/coa%2Fmac%2F0123456789ab"
    }
  }
}

     

    and no COA is triggerd. A COA triggerd from the Access Tracker for the given client just works perfect (MAC is obfuscated). 

     

    Same when using this one:

     

    POST /session-action/disconnect/mac/{mac_address}

     

     

    Is 'Post-Authv2' required for the new API calls? Big thanks in advance.

     

     



  • 2.  RE: ClearPass API Call - DynamicAuthorization:SessionAction
    Best Answer

    Posted Oct 21, 2020 06:18 AM

    Ok, some update here. It turned out the the underlying problem was caused by database issues with the 'insightdb'. This issue also related to the following error message in ClearPass Guest 'Active Sessions':

     

    Could not connect to X.X.X.X (database name insightdb): Connection failed (server down or bad credentials?)

     

    After some troubleshooting TAC found out, that the 'appexternal' db user didn't matched in the cluster settings with the account configured in "Authentication Sources - [Insight Repository]".

     

    So this issue was resolved by:

    • Administration > Server Manager > Server Configuration > Cluster Wide-Parameters > Database > Database user "appexternal" password
    • Configuration > Authentication > Sources > [Insight Repository] > Primary > Login Password

    Make sure both passwords matches each other. We had to reset them which didn't had any impact of production. No restart  of a was required.

     

    Hope this may help some of you. Big thanks to the TAC!



  • 3.  RE: ClearPass API Call - DynamicAuthorization:SessionAction

    Posted Oct 21, 2020 06:33 AM

    Now i'm able to disconnect the client and reauthenticate by using the API:

    Request URL

    https://10.1.1.1:443/api/session-action/disconnect/mac/1234567890ab?async=false

    Response Body

    {
  "action_id": "async_action_1603276142399",
  "status": "complete",
  "count": 1,
  "count_success": 1,
  "count_failed": 0,
  "count_queue": 0,
  "_links": {
    "self": {
      "href": "https://10.1.1.1/api/session-action/disconnect%2Fmac%1234567890ab"
    }
  }
}


Related Content