Hi,
I really like the API aspect of ClearPass and I try to find use cases to use it's full potential in day to day operations.
I find there is quite a lot of python scripts or raw cURL but I never found clear ways to transpose these into human usable interfaces.
I've put quite a lot of efforts to be able to use ClearPass APIs with simple php web interfaces. Basically, the APIs are posting JSON data using PHP cURL.
I have 2 APIs that I created and wanted to share.
- The self extension API.
The idea is to offer the guest users the possibility to self extension their account expiry without any sponsorship.
- You simply host the API on a apache server and when you send an email to your guests to advise them their account is about to expire, you put a link at the bottom of the email, pointing to the API web page. The guest then enter it's credentials through pure PHP RADIUS posted to the CPPM publisher to validate account is valid and if yes, it adds 90 days to the expiry.
- This API uses Pure PHP RADIUS that I embeded in the whole thing. No extra package needed or else :)
I created a service with the NAS IP address matching my laptop's IP as I was sending request to ClearPass from it. It's also important to add it as a device in Cpass.
The same can be used to basically make a weblogin page using RADIUS auth to a server/webpage of your choice !
- The guest account creation API.
- The reason for this one, is that sometime, you might want to have a small web interface on an iPad at the security gate with a basic GUI that let visitors create their own guest account without having to put a self registration portal on the guest side or to put the iPad directly browsed into the ClearPass account creation page logged in with an operator account.
Another interesting challenge that I had which in my opinion, is crucial to any APIs, was to automate the Oauth2 token generation and to re-inject it automatically in following cURL requests done by the API.
I attached the 2 APIs and commented the PHP Files. The important part is to edit line 434 of radius.class.php file for the 1st API with your ClearPass server info.
More Info : https://github.com/multiOTP/radius-class-php
I did my dev using PHP 5 and I recommend doing this in a lab environment first ! I also take for granted that the people experimenting with it have basic API/PHP/cURL knowledge :)
Also, I'm a network guy, not a programmer ! I know the code is far from perfect ^_^.
At least it's working well and gets the job done. I'm also bypassing SSL verify features with cURL in my case to make it simpler using the following :
curl_setopt($c, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, false);
I also highly recommend this guide to learn the basics of seting up ClearPass for APIs : ClearPass REST APIs.pdf - you can get it from support.arubanetworks.com website
Spin up that apache dev server and start having fun !!