View Only
last person joined: 3 days ago 

Expand all | Collapse all

Update registered devices in ClearPass Guest even if expired

This thread has been viewed 16 times
  • 1.  Update registered devices in ClearPass Guest even if expired

    Posted Jun 23, 2022 05:24 AM

    I want to update the sponsor_name of some registered devices in Guest via API, the problem I have is that it won't let me update some devices that are Expired (I think this is the issue) and ideally I would want to do that (assuming these devices are still visible to 'normal' end users when they view their devices). Is there a way to do this?

    After a bit more testing it looks like I'm getting a 422 response for some non-expired devices too, so the device being expired may not be the problem after all :(. Are there any other gotchas that might mean a patch attempt on a device might return a 422?

    Thank you,


  • 2.  RE: Update registered devices in ClearPass Guest even if expired

    Posted Jun 23, 2022 05:58 AM
    Edit - the purpose of the script is to find devices that have sponsor_name <id> and update that to be <id>@<domain>

    The issue I am currently seeing is that if I newly register, say, 3 different devices under my ID, and alter the sponsor_name so that it is missing "@<domain>" then when I run my script it will update one of the devices to add @<domain>, but not the other two - they both return 422. I must be doing something wrong, but I can't work out what - do I need to obtain a new token for every patch operation? At the moment I am just reusing the token I obtain at the start of the script.

    Running the script again doesn't result in any more successful updates, the two new accounts that failed to update first time around still fail.

    There seem to be some devices that, if I edit them through the Guest GUI to remove the doman part of sponsor_name then the script successfully updates them, but other devices just always fail. I'm struggling to see the difference, they are all registered by me.

    This is the function I am trying to run:

    def update_device_byid(bearer_token, field_to_update, new_value, device_id):
      # Accepts a device ID, field to update (eg sponsor_name), and the new value for
      # that field and updates that device in Guest Devices
        token = bearer_token
        field = field_to_update
        new_val = new_value
        dev_id = device_id
        if not token or not field or not new_val or not dev_id:
          raise ValueError('update_devices_byid - a value is missing')
        print(f"{token}, {field}, {new_val}, {dev_id}")
      except ValueError as e:
      payload = {
                 field: new_val,
                 "id": dev_id
      headers = {
        "Accept": "application/json",
        "Authorization": f"Bearer {token}"
      url = f"https://cppm_vrrp_hostname/api/device/{dev_id}"
        response = requests.patch(url, json=payload, headers=headers)
        if response.ok:
          print(f"update_device_byid response for dev_id {dev_id} not ok")
      except Exception as e:

    Do I need to do anything extra like convert the dicts to json? I tried that with the payload but it just returned a 500 code

  • 3.  RE: Update registered devices in ClearPass Guest even if expired

    Posted Jun 23, 2022 06:36 PM
    Ok so after yet more fiddling it turns out that some of the devices I had registered would update fine (and I could make them repeat the update reliably), but other devices would never update. So I ran an update using the API-Explorer and it actually gave me some useful info. It looks like the mpsk field is failing validation, even though I'm not touching that field:

      "validation_messages": {
        "mpsk": {
          "error": "Password does not satisfy complexity requirement: Use one or more digits, and a mix of upper and lower case letters"
      "type": "",
      "title": "Unprocessable Entity",
      "status": 422,
      "detail": "MPSK validation failed"

    So what do I do? In the MPSK config we have:

    But it looks like many devices have passwords without digits so are failing validation when I attempt to update them. I don't understand why validation is even run when I'm not updating that field! Is this a bug? It seems that when devices are created the mpsk can be generated as just letters despite the MPSK method being set as above. Can anyone suggest a way around this please?

  • 4.  RE: Update registered devices in ClearPass Guest even if expired

    Posted Jun 24, 2022 12:12 PM
    Still not solved, but a bit more investigation with an Aruba tech:

    It seems that mpsk is failing validation when using the API, but not when using the ClearPass GUI to edit accounts, even though I have set both to use the Super Admin operator profile.

    I can't find an example of the 'mpsk' field that has validation set on it anywhere in our forms, but I don't know where else to look.

    The Aruba guy set some validation on the mac_edit form which then broke the ClearPass GUI device edit, but his API calls carried on working (he doesn't see this issue when using the API) so it seems like it has to be validation set somewhere, maybe on a form, but I don't know where!