Security

Reply
Occasional Contributor I

ClearPass Guest API Limitations

I am trying to integrate our ClearPass system with a visitor sign-in system that allows API POST and GET webhooks and am running into a couple of issues.

 

1. When sending the POST API call to create a guest account, the "expire_time" cannot be populated using the webhook so I am trying to use the "expire_after" field with a value of 24, but this doesn't seem to change anything and the account is still set to never expire. The only alternative I have found is it use the "expire_postlogin" with a value of "1440" but this only works once the user signs-in to our guest Wi-Fi. Is there a way to get the "expire_after" to work?

 

2. The "password" field has to be used and populated which doesn't allow for a random password to be generated, even though I have configured the settings in Guest Configuration. Is there a way around this?

 

3. Due to the fact that our visitor sign-in system does not allow for other API methods except POST and GET I cannot reactivate an account that uses the same username (i.e. the visitors email address) because using the POST command I get the error message "The username is already in use". Is there a way to tell ClearPass to re-enable an account if it receives a POST API call?

 

Any support would be appreciated.

 

For reference, the current API call I am using is like:

{
"do_expire": 4,
"email": [email],
"username": [email],
"enabled": true,
"role_id": 2,
"sponsor_name": "WhosOnLocation",
"password": "1234567890",
"expire_postlogin": "1440",
"visitor_name": [name],
"visitor_phone": [mobile],
"simultaneous_use": 1,
"expired_notify_status": 0,
"auto_send_smtp": 0,
"auto_send_sms": 0
}

Highlighted
Guru Elite

Re: ClearPass Guest API Limitations

1) expire_time is an epoch timestamp and is accepted via the REST API

 

2) There is an API that will generate a random password. This can then be passed in the payload for guest user

 

3) Correct. This is a RESTful API. Any change to an attribute of an entity must use PATCH.

 

 

Here is a sample working payload:

 

{
  "do_expire": 1,
  "email": "test@airheads.community",
  "username": "test@airheadscommunity",
  "enabled": true,
  "expire_time": "1561579442",
  "password": "abc123",
  "role_id": 2,
  "simultaneous_use": 0,
  "visitor_company": "Testing Co",
  "visitor_name": "Just a Test"
}

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: ClearPass Guest API Limitations

Hi cappalli,

 

Thank you for responding. Unfortunately, my questions weren't answered.

 

1. I know that the "expire_time" is in epoch/Unix time format. The system I am sending the API POST from cannot send this to the ClearPass system as it cannot do that math of adding 24 hours to the creation time. I am trying to use the "expire_after" variable so ClearPass can automatically populate the "expire_time" field.

 

2. With the system that is sending the API POST command I cannot run the "random_password" API call to then pass onto the next POST command.

 

3. Can ClearPass not handle reactivating an account if a POST API call is made using the same username? I have read the "Business Logic for Account Creation" techdoc but nothing in that document works.

https://www.arubanetworks.com/techdocs/ClearPass/6.8/Guest/Default.htm#Configuration/BusinessLogicForAccountCreation.htm%3FTocPath%3DConfiguration%7CConfiguring%2520Guest%2520Manager%7C_____3

Guru Elite

Re: ClearPass Guest API Limitations

No this is not possible via the API
Correct. You’d need to find a way to generate a password
POST is used to create an entity. You can’t create an entity that already exists. This is standard CRUD operations.


Please also remember that a REST API doesn’t mean it is a webhook consumer.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: