Hi Carson.
Can't afford that on all endpoints. There are extensions syncing attributes there that will sure be recreated after next sync cycle. Also fingerprint data can be a real mess as it comes from many sources that usually conflict each other.
Also this was a nice little problem to again use pyclearpass :-) for something usefull.
I also hope that I catch the missing condition in enforcement policy from where all these wrong data types are introduced. If not, then at least I have a means to mitigate it.
Original Message:
Sent: Aug 14, 2024 11:33 AM
From: chulcher
Subject: Update or remove attribute from endpoint database in Clearpass via REST API
Makes sense. For this case I'd probably be more likely to just delete the endpoint entry entirely rather than mess with attribute cleanup.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Aug 14, 2024 11:27 AM
From: GorazdKikelj
Subject: Update or remove attribute from endpoint database in Clearpass via REST API
Hi Carson.
These wrong value types were pushed to the database via enforcement policy updates. It's strange that you can push a wrong value type for example free text into DateTime attribute over the enforcement profile, but then you can't remove it easily.
The problem I have with the wrong value type is that updates from extension like Intune, BigFix or maybe others will fail as data type is wrong and update is discarded.
And these attributes should not be there at all, but users are very resourceful to find ways when trying to connect to networks.. And when authorization fails, it still push updates to endpoint but with wrong data types in some fields.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: Aug 14, 2024 10:42 AM
From: chulcher
Subject: Update or remove attribute from endpoint database in Clearpass via REST API
Why wouldn't you use the device repository that is meant for this purpose rather than modifying the attributes that are already handled in policy?
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Aug 14, 2024 08:54 AM
From: GorazdKikelj
Subject: Update or remove attribute from endpoint database in Clearpass via REST API
So I was looking for example how to remove an attribute from specific set of endpoints in Endpoint database. My search didn't produce the desired results.
Looks like this problem is lurking around for some time and users do have a need for solution like this post from Derek Smith long time ago.
Most discussed solution was export and import Endpoint database. I really don't like this solution, if I only need to modify for example 2k endpoints in database containing many 10k endpoints.
I look over the pyclearpass library that I was already using for other things. Here is a quick and dirty procedure to update or remove attributes in the endpoint database. If you specify a filter expression (thx Alex for pointing me in the right direction about filter format in this post).
But there is also a problem with Clearpass filters. My problem was that attribute has a wrong type of value and it was type mismatch in database. Clearpass will not allow you to put wrong type of value in filter expression. It will throw type mismatch error.
You can very easily search endpoint database with postgresql query like that:
SELECT * FROM public.tips_endpoints_view where attributes->>'MAC-Auth Expiry' like '%ExpireTime%';
I could use postgresql python module to get endpoints with wrong values. This could be even preferable as I would not be limited to 1000 results that API can return.
I opted not to do that as I only have about 2k endpoints to correct. Maybe in the next version :-) For now I just check if the length of the string returned is more than 19 characters. This mean it is longer than datetime field and hence it is not correct type of data in DT field.
Here is the short python script to update or remove attribute(s). Requirements are icecream, pyclearpass, json, datetime
# Author: Gorazd Kikelj
# Date: 2024-08-14
#
from pyclearpass import ClearPassAPILogin, ApiIdentities
import json
from icecream import ic
from datetime import datetime
"""
API Auth parameters for old clearpass server
"""
API_Client_Secret = "xxx"
API_Client_ID = "xxx"
API_ClearPass_Server_URL = "https://xxx:443/api"
API_Grant_Type = "client_credentials"
API_Verify_SSL = False
API_Username = "xxx"
def update_endpoint(conn, endpoint):
"""Update endpoint attributes
conn: clearpass object
endpoint: endpoint profile
"""
endpoint["attributes"]["MAC-Auth Expiry"] = datetime.now().isoformat(
sep=" ", timespec="seconds"
)
endpoint["attributes"]["Guest Role ID"] = "3"
new_attributes = endpoint["attributes"]
resp = ApiIdentities.update_endpoint_by_endpoint_id(
conn, # type: ignore
endpoint_id=f'{endpoint["id"]}',
body={"attributes": new_attributes},
)
ic(resp)
return
def replace_endpoint(conn, endpoint):
"""Replace endpoint data
conn: clearpass object
endpoint; endpoint profile
"""
del endpoint["_links"]
del endpoint["attributes"]["MAC-Auth Expiry"]
del endpoint["attributes"]["Guest Role ID"]
resp = ApiIdentities.replace_endpoint_by_endpoint_id(
conn, # type: ignore
endpoint_id=f'{endpoint["id"]}',
body=endpoint,
)
ic(resp)
return
clearpass = ClearPassAPILogin(
server=API_ClearPass_Server_URL,
granttype=API_Grant_Type,
clientsecret=API_Client_Secret,
clientid=API_Client_ID,
# username=API_Username,
# password=API_Password,
verify_ssl=API_Verify_SSL,
)
filter = json.dumps({"MAC-Auth Expiry": {"$exists": True}})
endpoints = ApiIdentities.get_endpoint(
clearpass,
filter=filter,
offset="0",
limit="1000",
calculate_count="true",
profile_details="true",
)
print(f'Endpoint with MAC-Auth Expiry attribute count {endpoints.get("count")}')
try:
for endpoint in endpoints.get("_embedded").get("items"): # type:ignore
ep = endpoint["attributes"].get("MAC-Auth Expiry")
print(
f'id={endpoint["id"]}, mac={endpoint["mac_address"]}, MAC-Auth Expiry={endpoint["attributes"].get("MAC-Auth Expiry")}'
)
ic(endpoint)
try:
if len(ep) > 19:
replace_endpoint(conn=clearpass, endpoint=endpoint)
elif ep.find("2024-08-14") != -1:
ic(f'Today change of endpoint {endpoint["id"]}')
replace_endpoint(conn=clearpass, endpoint=endpoint)
except TypeError:
pass
except AttributeError as e:
print(f"Attribute error {e}")
Hope it will be useful for someone.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
------------------------------