Security

I am trying to integrate our ClearPass system with a visitor sign-in system that allows API POST and GET webhooks and am running into a couple of issues.

 

1. When sending the POST API call to create a guest account, the "expire_time" cannot be populated using the webhook so I am trying to use the "expire_after" field with a value of 24, but this doesn't seem to change anything and the account is still set to never expire. The only alternative I have found is it use the "expire_postlogin" with a value of "1440" but this only works once the user signs-in to our guest Wi-Fi. Is there a way to get the "expire_after" to work?

 

2. The "password" field has to be used and populated which doesn't allow for a random password to be generated, even though I have configured the settings in Guest Configuration. Is there a way around this?

 

3. Due to the fact that our visitor sign-in system does not allow for other API methods except POST and GET I cannot reactivate an account that uses the same username (i.e. the visitors email address) because using the POST command I get the error message "The username is already in use". Is there a way to tell ClearPass to re-enable an account if it receives a POST API call?

 

Any support would be appreciated.

 

For reference, the current API call I am using is like:

{
"do_expire": 4,
"email": [email],
"username": [email],
"enabled": true,
"role_id": 2,
"sponsor_name": "WhosOnLocation",
"password": "1234567890",
"expire_postlogin": "1440",
"visitor_name": [name],
"visitor_phone": [mobile],
"simultaneous_use": 1,
"expired_notify_status": 0,
"auto_send_smtp": 0,
"auto_send_sms": 0
}

#Meridian
#ArubaSensor
#ArubaBeacons
#LocationServices
#ALE

1) expire_time is an epoch timestamp and is accepted via the REST API

 

2) There is an API that will generate a random password. This can then be passed in the payload for guest user

 

3) Correct. This is a RESTful API. Any change to an attribute of an entity must use PATCH.

 

 

Here is a sample working payload:

 

{
  "do_expire": 1,
  "email": "test@airheads.community",
  "username": "test@airheadscommunity",
  "enabled": true,
  "expire_time": "1561579442",
  "password": "abc123",
  "role_id": 2,
  "simultaneous_use": 0,
  "visitor_company": "Testing Co",
  "visitor_name": "Just a Test"
}

Hi cappalli,

 

Thank you for responding. Unfortunately, my questions weren't answered.

 

1. I know that the "expire_time" is in epoch/Unix time format. The system I am sending the API POST from cannot send this to the ClearPass system as it cannot do that math of adding 24 hours to the creation time. I am trying to use the "expire_after" variable so ClearPass can automatically populate the "expire_time" field.

 

2. With the system that is sending the API POST command I cannot run the "random_password" API call to then pass onto the next POST command.

 

3. Can ClearPass not handle reactivating an account if a POST API call is made using the same username? I have read the "Business Logic for Account Creation" techdoc but nothing in that document works.

https://www.arubanetworks.com/techdocs/ClearPass/6.8/Guest/Default.htm#Configuration/BusinessLogicForAccountCreation.htm%3FTocPath%3DConfiguration%7CConfiguring%2520Guest%2520Manager%7C_____3

No this is not possible via the API
Correct. You’d need to find a way to generate a password
POST is used to create an entity. You can’t create an entity that already exists. This is standard CRUD operations.


Please also remember that a REST API doesn’t mean it is a webhook consumer.