View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Guest API Limitations

This thread has been viewed 9 times
  • 1.  ClearPass Guest API Limitations

    Posted Jun 24, 2019 09:06 PM

    I am trying to integrate our ClearPass system with a visitor sign-in system that allows API POST and GET webhooks and am running into a couple of issues.


    1. When sending the POST API call to create a guest account, the "expire_time" cannot be populated using the webhook so I am trying to use the "expire_after" field with a value of 24, but this doesn't seem to change anything and the account is still set to never expire. The only alternative I have found is it use the "expire_postlogin" with a value of "1440" but this only works once the user signs-in to our guest Wi-Fi. Is there a way to get the "expire_after" to work?


    2. The "password" field has to be used and populated which doesn't allow for a random password to be generated, even though I have configured the settings in Guest Configuration. Is there a way around this?


    3. Due to the fact that our visitor sign-in system does not allow for other API methods except POST and GET I cannot reactivate an account that uses the same username (i.e. the visitors email address) because using the POST command I get the error message "The username is already in use". Is there a way to tell ClearPass to re-enable an account if it receives a POST API call?


    Any support would be appreciated.


    For reference, the current API call I am using is like:

    "do_expire": 4,
    "email": [email],
    "username": [email],
    "enabled": true,
    "role_id": 2,
    "sponsor_name": "WhosOnLocation",
    "password": "1234567890",
    "expire_postlogin": "1440",
    "visitor_name": [name],
    "visitor_phone": [mobile],
    "simultaneous_use": 1,
    "expired_notify_status": 0,
    "auto_send_smtp": 0,
    "auto_send_sms": 0


  • 2.  RE: ClearPass Guest API Limitations

    Posted Jun 25, 2019 12:09 PM

    1) expire_time is an epoch timestamp and is accepted via the REST API


    2) There is an API that will generate a random password. This can then be passed in the payload for guest user


    3) Correct. This is a RESTful API. Any change to an attribute of an entity must use PATCH.



    Here is a sample working payload:


      "do_expire": 1,
      "email": "",
      "username": "test@airheadscommunity",
      "enabled": true,
      "expire_time": "1561579442",
      "password": "abc123",
      "role_id": 2,
      "simultaneous_use": 0,
      "visitor_company": "Testing Co",
      "visitor_name": "Just a Test"

  • 3.  RE: ClearPass Guest API Limitations

    Posted Jun 25, 2019 06:23 PM

    Hi cappalli,


    Thank you for responding. Unfortunately, my questions weren't answered.


    1. I know that the "expire_time" is in epoch/Unix time format. The system I am sending the API POST from cannot send this to the ClearPass system as it cannot do that math of adding 24 hours to the creation time. I am trying to use the "expire_after" variable so ClearPass can automatically populate the "expire_time" field.


    2. With the system that is sending the API POST command I cannot run the "random_password" API call to then pass onto the next POST command.


    3. Can ClearPass not handle reactivating an account if a POST API call is made using the same username? I have read the "Business Logic for Account Creation" techdoc but nothing in that document works.

  • 4.  RE: ClearPass Guest API Limitations

    Posted Jun 25, 2019 06:26 PM
    No this is not possible via the API
    Correct. You’d need to find a way to generate a password
    POST is used to create an entity. You can’t create an entity that already exists. This is standard CRUD operations.

    Please also remember that a REST API doesn’t mean it is a webhook consumer.