AAA, NAC, Guest Access & BYOD

Requirement:

This article is to configure Clearpass page with custom script to manually profile an endpoint or list of mac address in Clearpass endpoints repository. Clearpass can profile device using DHCP, SNMP, Onboarding, Onguard etc. In some cases if the device cannot be profiled by any of the profiling methods, we could use this custom script on the Publisher server to manually profile device. This can also add mac address to the endpoint table. 

Note: Using this script, we cannot change the endpoints as 'known'. For this requirement we may have to use the Rest API to update endpoints as 'known'.

Attached script could be created as a web page in Clearpass Guest publisher and administrator shall provide the list of mac address with comma separated values. Once all the profiling details are selected for the MAC address list, click on Post to get the device profiled on the publisher. 

GUI work flow: 

1. Open the created page in Chrome or Firefox browser. 
2. Provide the list of MAC address that needs to be profiled. 
3. Select the Category, Family and Name appropriately (Note: 'Name' field is mandatory to post the data). 
4. Click on 'Post' button and message alert "Please wait for 'Post data'"  will appear. 
5. Accept the alert message and wait for the "Data posted" alert message. 

• Navigate to Clearpass Guest-> Configuration-> Pages-> Web Pages.

• Click on "Create a new web page" link. 

• Provide 'Name' and 'Page Name' as desiredrequired. 
• Copy past the attached script to the HTML section (script should contain ~841 lines) . 
• Modify the script with the admin credentials if different from default  (User with Super Administrator privileged) in line 820. 
  
  ​​​({ajax$.
    type: "POST",
    url: "/async_netd/deviceprofiler/endpoints",
    data: data,
    dataType: "json",
    contentType : "application/json",
    headers: {
      "Authorization": "Basic " + btoa('admin:eTIPS123')
    },

• Click on 'Create Page' to save this page. 

Script is a a simple JSP and Ajax script to convert the HTML import from user to JSON format and post to the profiling module. 

We could verify the JSON post updated in the console when the 'Name' is selected or changed. To verify this data, right click on the page and click on 'Inspect element' and select the 'Console' tab and change the 'Name' to verify the JSON format. The format should look like the example mentioned below: 

Log entries: 

When Asyn-netd service logging is in DEBUG below is the log entry. 

2016-07-27 23:16:56,081 DEBUG  (6637) (6637) accepted ('127.0.0.1', 55350)
2016-07-27 23:16:56,083 DEBUG  (6637) 10.20.xx.xx,127.0.0.1 - - [27/Jul/2016 23:16:56] "POST /async_netd/deviceprofiler/endpoints HTTP/1.1" 200 244 0.000629
2016-07-27 23:16:56,083 DEBUG  Profile update mac:aabbccddeeff ip:None hostname:None fp:{'device': {u'category': u'Access Points', u'name': u'Aruba AP', u'family': u'Aruba'}}
2016-07-27 23:16:56,090 DEBUG  Endpoint with (mac: aabbccddeeff, ip: None) not present in tipslogdb
2016-07-27 23:16:56,090 DEBUG  Endpoint with (mac: aabbccddeeff, ip: None) not present in tipsdb
2016-07-27 23:16:56,091 DEBUG  Endpoint:aabbccddeeff device:<Access Points, Aruba, Aruba AP> no profiling required
2016-07-27 23:16:56,091 DEBUG  Profile change for mac:aabbccddeeff old: None, new: <Access Points, Aruba, Aruba AP>
2016-07-27 23:16:56,091 DEBUG  New endpoint: {mac: aabbccddeeff, ip: None, static_ip:False, hostname: None, mac_vendor: None, device: <Access Points, Aruba, Aruba AP>, other: None, conflict:False, fp: {"device": {"category": "Access Points", "name": "Aruba AP", "family": "Aruba"}}, added_at: 2016-07-27 17:46:56.091343+00:00, updated_at: 2016-07-27 17:46:56.091343+00:00}
2016-07-27 23:16:56,092 INFO   CoA may be required for mac:aabbccddeeff
2016-07-27 23:16:56,092 DEBUG  Profile update mac:bbccddeeffaa ip:None hostname:None fp:{'device': {u'category': u'Access Points', u'name': u'Aruba AP', u'family': u'Aruba'}}
2016-07-27 23:16:56,098 DEBUG  Endpoint with (mac: bbccddeeffaa, ip: None) not present in tipslogdb
2016-07-27 23:16:56,098 DEBUG  Endpoint with (mac: bbccddeeffaa, ip: None) not present in tipsdb
2016-07-27 23:16:56,098 DEBUG  Endpoint:bbccddeeffaa device:<Access Points, Aruba, Aruba AP> no profiling required
2016-07-27 23:16:56,099 DEBUG  Profile change for mac:bbccddeeffaa old: None, new: <Access Points, Aruba, Aruba AP>
2016-07-27 23:16:56,099 DEBUG  New endpoint: {mac: bbccddeeffaa, ip: None, static_ip:False, hostname: None, mac_vendor: None, device: <Access Points, Aruba, Aruba AP>, other: None, conflict:False, fp: {"device": {"category": "Access Points", "name": "Aruba AP", "family": "Aruba"}}, added_at: 2016-07-27 17:46:56.098979+00:00, updated_at: 2016-07-27 17:46:56.098979+00:00}
2016-07-27 23:16:56,099 INFO   CoA may be required for mac:bbccddeeffaa
2016-07-27 23:16:56,108 DEBUG  Updated endpoints: [u'aabbccddeeff', u'bbccddeeffaa'] in tipsLogDb
2016-07-27 23:16:56,145 DEBUG  Updated endpoints: [u'aabbccddeeff', u'bbccddeeffaa'] in tipsdb
2016-07-27 23:17:06,156 WARNING No session for mac:bbccddeeffaa
2016-07-27 23:17:06,157 DEBUG  No coa profile applicable for mac:bbccddeeffaa
2016-07-27 23:17:06,161 WARNING No session for mac:aabbccddeeff
2016-07-27 23:17:06,161 DEBUG  No coa profile applicable for mac:aabbccddeeff
2016-07-27 23:18:37,915 DEBUG  HashFilter purge 1 expired entries

Verify whether the device is profiled appropriately in Clearpass GUI (Under Configuration-> Identity -> Endpoints) as shown below: