Add blacklist user in controller from Clearpass


This article is to provide brief overview on adding a client to STM blacklist in Aruba Controller from Clearpass using API request. In a captive portal scenario if the requirement is to prevent client from connecting back to the SSID and performing authentication, client has to be added to STM blacklist on the controller. This will prevent the user from connecting back to the SSID for a specific time frame.  

Key Note:

  • CLI based or 'Aruba downloadable ACL' enforcement from Clearpass to add blacklist client will not work with Aruba controllers. CLI based enforcement are specific for Meru captive portal senario. 
  • Aruba controller mandates 'Client IP address' to add to blacklist clients, hence Clearpass should have 'IETF:Framed-IP-Address' in the radius request. 
  • Block time are controlled based on the Virtual AP profile settings on the controller (default 3600 sec). 



If a user needs to be added as a blacklist client in the Aruba mobility controller based on different enforcement Policy (conditions), Clearpass has to send an HTTP based post in XML format to add a client mac address to its STM blacklist repository. Post has to be done to a specific controller where the client is connected to.

API calls for Aruba controller user management are explained under: External User Management using XML-API.


Based on different conditions (enforcement policies), below are the steps to configure Clearpass to send the API post to controller for adding a user to blacklist. 


Steps to be configured on Clearpass: 

  1. Add Controller IP as an Endpoint Context Servers (Under Administration > External Servers).

a. Click on 'Add' button on the top right to add a new controller. 

b. Select the 'Server Type' as 'Generic HTTP'. 

c. Provide the controller IP in 'Server Name'. 

d. URL should automatically populated with the controller IP with HTTPS. 

e. Provide the user credentials for Admin access on the controller. 

  1. Add Context server Action (under Administration > Dictionary)

a. Click on 'Add' button and select the 'Server Type' as 'Generic HTTP' under Action tab. 

b. Select Server Name with the appropriate controller IP. 

c. Provide Name for this action and select the method as 'POST'.

d. Set URL option, provide the post URL as '/auth/command.xml'.

e. Under 'Content' tab, select the 'Content-Type' as XML and provide the XML fields as shown below:  

  1. Enforcement Policy need to be configured to apply this post (Under Configuration > Enforcement > Profiles). 

a. Click on Add button and select the template as 'HTTP Based Enforcement''. 

b. Provide name for enforcement. 

c. Under Attributes TAB, select the 'Target Server' as the controller IP and select the 'Action' with created Context server Action. 

d. Save the settings. 


  1. Design the enforcement Policy based on the requirement and apply the appropriate enforcement . 


Controller side configuration: 

  1. Add XML API Servers on the controller (under Configuration > Security > Authentication > Servers).

a. Add the IP address of Clearpass (MGMT or DATA depending on the routes on Clearpass). 

b. Click on the newly added server and provide KEY (the same one entered on the XML field as 'key' attribute). 

c. Apply and save the settings. 

  1. Add the API servers to the Captive portal AAA profile (Under Configuration > Security > Authentication >  Profiles)


Refer controller API configuration External User Management using XML-API for additional details on the controller configuration if required.



From Controller:

  • To verify whether the client is added to the blacklist: 

  • To check the external captive portal authentication statistics use the 'show aaa xml-api statistics' command. This command displays the number of times an authentication command was executed per client. The command also displays the number of times an authentication event occurred and the number of new authentication events that occurred since the last status check.
(host) # show aaa xml-api statistics
ECP Statistics
---------- ----------
user_authenticate 1 (0)
user_add 1 (0)
user_delete 1 (0)
user_blacklist 2 (0)
unknown user 2 (0)
unknown role 0 (0)
unknown external agent 0 (0)
authentication failed 0 (0)
invalid command 0 (0)
invalid message authentication method 0 (0)
invalid message digest 0 (0)
Packets received from unknown clients : 0 (0)
Packets received with unknown request : 0 (0)
Requests Received/Success/Failed : 5/3/2 (0/0/0)

From Clearpass: 

  • Verify whether the correct enforcement is applied. 

  • To test whether the post is able to get the required IP address, verify that 'Framed-IP-Address' is received in the Radius request. 

  • If Asyn-netd service is kept in DEBUG, the below is the expected logs: 
2016-09-27 09:08:14,569 DEBUG  root             pactrlhandler Read request data = {"content":[{"attributes":null,"enf_profile_name":"Blacklist User","enf_profile_type":"HTTP","params":[{"name":"method","value":"POST"},{"name":"action","value":"Add Blacklist client"},{"name":"url","value":"/auth/command.xml"},{"name":"content_type","value":"XML"},{"name":"content","value":"xml=<aruba command=\"user_blacklist\">\n<ipaddr></ipaddr>\n<key>whopee</key>\n<authentication>cleartext</authentication>\n<version>1.0</version>\n</aruba>"},{"name":"disable_basic_auth","value":""},{"name":"headers","value":"null\n"},{"name":"server","value":""},{"name":"base_url","value":""},{"name":"username","value":"admin"},{"name":"password","value":"u72Z3e/pGDg1Oisx5lzBjg=="},{"name":"bypass_proxy","value":""},{"name":"validate_server","value":""}]}],"id":"R00000021-02-57e9e9a6","mac_address":"3480b3d4e2f7","name":..."}
2016-09-27 09:08:14,570 DEBUG  root             pactrlhandler PACtrlHandler::handle_genericenfrequest
2016-09-27 09:08:14,570 ERROR  root             pactrlhandler Some mandatory fields are absent in the request
2016-09-27 09:08:14,570 DEBUG  root             pactrlhandler PACtrlHandler::_check_generic_enf_profile_type
2016-09-27 09:08:14,570 DEBUG  root             pactrlhandler PACtrlHandler::_handle_generic_enf_profile
2016-09-27 09:08:14,570 DEBUG  root             pactrlhandler PACtrlHandler::handle_generic_enforcement
2016-09-27 09:08:14,571 DEBUG  root             pactrlhandler Processing generic enforcement=[{'attributes': None, 'enf_profile_type': 'HTTP', 'params': [{'name': 'method', 'value': 'POST'}, {'name': 'action', 'value': 'Add Blacklist client'}, {'name': 'url', 'value': '/auth/command.xml'}, {'name': 'content_type', 'value': 'XML'}, {'name': 'content', 'value': 'xml=<aruba command="user_blacklist">\n<ipaddr></ipaddr>\n<key>whopee</key>\n<authentication>cleartext</authentication>\n<version>1.0</version>\n</aruba>'}, {'name': 'disable_basic_auth', 'value': ''}, {'name': 'headers', 'value': 'null\n'}, {'name': 'server', 'value': ''}, {'name': 'base_url', 'value': ''}, {'name': 'username', 'value': 'admin'}, {'name': 'password', 'value': 'u72Z3e/pGDg1Oisx5lzBjg=='}, {'name': 'bypass_proxy', 'value': ''}, {'name': 'validate_server', 'value': ''}], 'enf_profile_name': 'Blacklist User'}] for mac_address=3480b3d4e2f7
2016-09-27 09:08:14,571 DEBUG  root             pactrlreqprocessor Adding the task=('GenericEnforcement', <function start_response at 0x2d71a28>, {'enf_profile_type': 'HTTP', 'session_id': 'R00000021-02-57e9e9a6', 'params': [{'name': 'method', 'value': 'POST'}, {'name': 'action', 'value': 'Add Blacklist client'}, {'name': 'url', 'value': '/auth/command.xml'}, {'name': 'content_type', 'value': 'XML'}, {'name': 'content', 'value': 'xml=<aruba command="user_blacklist">\n<ipaddr></ipaddr>\n<key>whopee</key>\n<authentication>cleartext</authentication>\n<version>1.0</version>\n</aruba>'}, {'name': 'disable_basic_auth', 'value': ''}, {'name': 'headers', 'value': 'null\n'}, {'name': 'server', 'value': ''}, {'name': 'base_url', 'value': ''}, {'name': 'username', 'value': 'admin'}, {'name': 'password', 'value': 'u72Z3e/pGDg1Oisx5lzBjg=='}, {'name': 'bypass_proxy', 'value': ''}, {'name': 'validate_server', 'value': ''}], 'mac_address': '3480b3d4e2f7', 'attributes': None, 'enf_profile_name': 'Blacklist User'})
2016-09-27 09:08:14,571 DEBUG  root             pactrlhandler Sending response to the caller
2016-09-27 09:08:14,571 DEBUG  root             pactrlservice (15067) - - [27/Sep/2016 09:08:14] "POST /async_netd/pactrl/genericenfrequest HTTP/1.1" 200 129 0.001989
2016-09-27 09:08:16,573 DEBUG  root             pactrlreqprocessor Task len=1
2016-09-27 09:08:16,573 DEBUG  root             pactrlreqprocessor PACtrlGenericEnforcementHandler::_handle_generic_enforcement
2016-09-27 09:08:16,574 DEBUG  root             pactrlreqprocessor generic_enforcement_request=('GenericEnforcement', <function start_response at 0x2d71a28>, {'enf_profile_type': 'HTTP', 'session_id': 'R00000021-02-57e9e9a6', 'params': [{'name': 'method', 'value': 'POST'}, {'name': 'action', 'value': 'Add Blacklist client'}, {'name': 'url', 'value': '/auth/command.xml'}, {'name': 'content_type', 'value': 'XML'}, {'name': 'content', 'value': 'xml=<aruba command="user_blacklist">\n<ipaddr></ipaddr>\n<key>whopee</key>\n<authentication>cleartext</authentication>\n<version>1.0</version>\n</aruba>'}, {'name': 'disable_basic_auth', 'value': ''}, {'name': 'headers', 'value': 'null\n'}, {'name': 'server', 'value': ''}, {'name': 'base_url', 'value': ''}, {'name': 'username', 'value': 'admin'}, {'name': 'password', 'value': 'u72Z3e/pGDg1Oisx5lzBjg=='}, {'name': 'bypass_proxy', 'value': ''}, {'name': 'validate_server', 'value': ''}], 'mac_address': '3480b3d4e2f7', 'attributes': None, 'enf_profile_name': 'Blacklist User'})|entity=GenericEnforcement|message={'enf_profile_type': 'HTTP', 'session_id': 'R00000021-02-57e9e9a6', 'params': [{'name': 'method', 'value': 'POST'}, {'name': 'action', 'value': 'Add Blacklist client'}, {'name': 'url', 'value': '/auth/command.xml'}, {'name': 'content_type', 'value': 'XML'}, {'name': 'content', 'value': 'xml=<aruba command="user_blacklist">\n<ipaddr></ipaddr>\n<key>whopee</key>\n<authentication>cleartext</authentication>\n<version>1.0</version>\n</aruba>'}, {'name': 'disable_basic_auth', 'value': ''}, {'name': 'headers', 'value': 'null\n'}, {'name': 'server', 'value': ''}, {'name': 'base_url', 'value': ''}, {'name': 'username', 'value': 'admin'}, {'name': 'password', 'value': 'u72Z3e/pGDg1Oisx5lzBjg=='}, {'name': 'bypass_proxy', 'value': ''}, {'name': 'validate_server', 'value': ''}], 'mac_address': '3480b3d4e2f7', 'attributes': None, 'enf_profile_name': 'Blacklist User'}
2016-09-27 09:08:16,574 DEBUG  root             genericenforcement Found pattern_list=[]
2016-09-27 09:08:16,574 DEBUG  root             genericenforcement Found pattern_list=[] in action_full_url
2016-09-27 09:08:16,574 DEBUG  root             genericenforcement Name=Blacklist User|MAC Address=3480b3d4e2f7|Action=Add Blacklist client|Action URL=/auth/command.xml|Method=POST|Content Type=XML|Content=xml=<aruba command="user_blacklist">
</aruba>|Server=|Base URL=|Username=admin|Password=*****|Full URL=|Raw header=null
|Parsed header=None|Use secure connection=True|AttributeMap={}
2016-09-27 09:08:16,592 DEBUG  root             genericenforcement Request header={}
2016-09-27 09:08:16,593 DEBUG  root             pactrlreqprocessor Created GenericEnforcement instance for mac_address=3480b3d4e2f7
2016-09-27 09:08:16,593 DEBUG  root             genericenforcementmanager Queue depth=0 for ge_handler=0
2016-09-27 09:08:16,593 DEBUG  root             genericenforcementmanager Adding request=<genericenforcement.GenericEnforcement instance at 0x2cd7ef0> to ge_handler=0
2016-09-27 09:08:16,593 DEBUG  root             genericenforcementhandler Done signalling process_request for generic enforcement
2016-09-27 09:08:16,593 DEBUG  root             http2util Sending data=xml=<aruba command="user_blacklist">
2016-09-27 09:08:16,619 DEBUG  root             http2util Received response=<aruba>
|status={'status': '200', 'content-length': '56', 'server': 'Apache', 'x-ua-compatible': 'IE=edge;IE=11;IE=10;IE=9', 'date': 'Tue, 27 Sep 2016 09:12:24 GMT', 'x-frame-options': 'SAMEORIGIN', 'content-type': 'text/xml'}



Version history
Revision #:
2 of 2
Last update:
‎10-18-2016 01:25 PM
Updated by:
Labels (2)