Controllerless Networks

I have an IAP 205 and set the XML-API Server and a shared secret, it's just a test so I don't think it's relevant to blank that out.

So, I tried to add a user to the internal users list.
I ran curl like this:

curl -X POST -k -H "Content-type: text/xml" -d "<aruba command="user_query"><name>Testuser1</name><key>nipcon</key><authentication>cleartext</authentication><version>1.0</version></aruba>"https://172.31.255.218/auth/command.xml

curl -X POST -k -H "Content-type: text/xml" -d "<aruba command="user_add"><name>User_Name</name>key>12345678</key><authentication>cleartext</authentication><version>1.0</version></aruba>" https://172.31.255.218/auth

both times I get the error 5, invalid command. I think I don't have the right understanding of the Aruba API yet, so I request the help of people more knowledgeable than me. Can anyone figure out how to make the command succeed?

Thanks a lot in advance!

Probably the main issue is that in your curl command you have double quotes (") embedded in double quotes, which is transformed by your (Linux) shell to something completely different. When I tried, changing the outer double-quotes (") to single quotes (') the error 5 disappeared.

The following command:

curl -X POST -k -H "Content-type: text/xml" -d 'xml=<aruba command="user_query"> <ipaddr>192.168.33.130</ipaddr> <key>secret123</key> <authentication>cleartext</authentication> <version>1.0</version> </aruba>' https://instant.nl.arubalab.com/auth/command.xml

Produces the following output on my IAP:

<?xml version='1.0'?>
<aruba>
  <status>Ok</status>
  <code>0</code>
  <macaddr>f4:1b:a1:07:ff:aa</macaddr>
  <ipaddr>192.168.33.130</ipaddr>
  <name>IPad-01</name>
  <role>kindle</role>
  <type>wireless</type>
  <vlan>1</vlan>
  <location>192.168.33.132</location>
  <age>5m:27s</age>
  <auth_status>unauthenticated</auth_status>
  <auth_method>wpa2-psk-aes</auth_method>
  <auth_server>N/A</auth_server>
  <essid>kindle</essid>
  <bssid>d8:c7:c8:44:55:52</bssid>
  <phy_type>AN</phy_type>
  <in_packets>0</in_packets>
  <in_octets>0</in_octets>
  <out_packets>0</out_packets>
  <out_octets>0</out_octets>
</aruba>

Where I got the required fields from the XML-API documentation available at: http://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/XML_API.php

And on the Instant I had my XML client configured with a key:

xml-api-server
 ip 192.168.32.20
 key secret123

which can be found for the WebUI addicts in Instant -> More -> Services -> Network Integration. 

Other commands will probably work as well, if you start from this working example.

Herman

This is a great answer, and I think it aould be the solution on any linux host, but sadly this server runs Windows Server 2008 and in ref to this post at stackechchange I changed the single to the double quote.
http://stackoverflow.com/questions/15541310/was-unexpected-at-this-time-from-curl-command-line-when-posting-input-data-as

I probably will set up a linux server there, but I first wanted to try if I can successfully access the API at all! So, thank you for your support, can you answer me one more question?

I'd like to know if I the API has the same "size and functionality" on the IAPs, as it has on the APs. Or has does the IAP have a limited functionality? 

Thank you!

Actually I got it working.. kinda.

I don't get the Error 5 anymore, I get the Error 1 Unknown User. BUt when I add a user..

Besides that, it states that the IP-Address and the Version is mandatory, but why is the IP mandatory, if I just want to add a user to the table? What if I don't know the IP yet?
 

Please look at the document here:  http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/5647/2/XML_API.pdf

user_add needs the "role" parameter.

How this should work on the controller is, a user associates to the captive portal and gets redirected to your web server.  The user has an ip address, mac address already.  The user_add is supposed to  switch the role of an existing user from a captive portal role to a production role.  The user is supposed to exist on the captive portal with an ip address, mac address, and when the user satisifes something on your web server, you swich the users role to one that allows full access.  You typically would know the user's ip address and the mac address is optional in user_add.

I hope that makes sense.

Hallo Colin, I'm grateful for your answer, it shed some light on this.

Actually I did not make any sense at first.
The Documentation clearly states this:

Authentication Command

Description

Which to me means, it creates a user (aka user and password in Security->Users for internal server).
Now that I looked at the Manual again with these information, "user_authenticate" looks much more as what I need to do, is this right?

Basically, here is my goal:

Components:
Server

Aruba IAP

The Server has a small interface to create a user (user and password for guest auth).
The Server also has a captive portal.

I generate the user, add it to the Aruba IAP internal Database wait for the User to authenticate.
The User finally comes in and access the guest wifi, gets redirected to the external captive portal  (or might even be the internal captive portal), and the (internal/external) captive portal checks for the correct user and password.

Would this basically work with the API, or am I misunderstanding the main use of the API?

Thank you!

None of the XML-API commands adds a user to the controller or IAP internal database (authentication database).  It can only manipulate the user table (list of active users currently on the controller).  If you have an external database that the IAP or Aruba controller can authenticate to via LDAP or radius, that is where you should add or delete users.  The XML-API on controllers and IAPs would be mainly to manipulate active users on the system.  If you had a way to manipulate users on an LDAP or radius server, those users could authenticate to that.

I hope that helps.

Thanks for the clarification!

If I may add a question in the same context: 

This site states there is a command that does what I want "This command creates a user account entry in the controller’s internal database.", right? 
http://www.arubanetworks.com/techdocs/ArubaOS_61/ArubaOS_61_CLI/local-userdb.htm

I can't find it in any mode on my IAP, is this a feature not availiable to IAPs?

I use Aruba OS 6.4.2.6-4.1.1.11.

Thank you

That command would add a user to the local database to the controller.  You would have to SSH into the controller and execute the command to create it.  

To create a user in an IAP, the syntax is different:  http://www.arubanetworks.com/techdocs/Instant_41_WebHelp/InstantWebHelp.htm#UG_files/Authentication/UserManagement/ConflocalDBUser.htm%3FTocPath%3DAuthentication%20and%20User%20Management%7CManaging%20Users%7C_____3

In the CLI

To configure an employee user:
(Instant AP)(config)# user <username> <password> radius
(Instant AP)(config)# end
(Instant AP)# commit apply
To configure a guest user:
(Instant AP)(config)# user  <username> <password> portal
(Instant AP)(config)# end
(Instant AP)# commit apply

This is why it would make better sense to add users to an external server, where both the controller and IAP users would be able to authenticate seamlessly.

Thank you a thousand times, this is what I wanted.
I think it would be quite an overkill to create a webinterface for the MS-NAP or LDAP directory, just to manage the guest users.

My question is solved, thanks a lot!