Security

I'm trying to perform an API call to our Clearpass server to move users into roles based on the attribute "Disabled Reason". For example if "Disabled Reason" equals "RIAA" I would like to move them into the RIAA role where we would present the user with a splash page explaining the process that they must follow to re-establish service.

I have a call that works for moving the users status from "Known" to "Disabled" but need to expand on that to use the endpoint attributes. The working call is as follows:

<TipsApiRequest xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader version="3.0"/>
<Endpoints>
<Endpoint status="Unknown" macAddress="a088b4764054"/>
</Endpoints>
</TipsApiRequest>'

I exported one of the endpoints that I had manually configured RIAA as the Disabled Reason and got this:

-<TipsContents>

<TipsHeader exportTime="Wed Aug 28 22:55:18 CDT 2013" version="6.2"/>

<Endpoints>

<Endpoint macAddress="1040f350d9d2" status="Unknown">

<EndpointTags tagName="Disabled Reason" tagValue="RIAA"/>

</Endpoint>

</Endpoints>

<TagDictionaries>

<TagDictionary allowMultiple="true" mandatory="false" dataType="String" attributeName="Disabled Reason" entityName="Endpoint"/>

</TagDictionaries>

</TipsContents>

Any ideas on how this call should be constructed?

Thanks,

David

I think you are asking: how to set an endpoint attribute through the API?

You should be able to do this using the same format returned when you read the endpoint.  There's no need to include the tag dictionary, though.

Try something like this:

<TipsApiRequest xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader version="3.0"/>
  <Endpoints>
    <Endpoint status="Unknown" macAddress="a088b4764054">

      <EndpointTags tagName="Disabled Reason" tagValue="RIAA"/>

    </Endpoint>
  </Endpoints>
</TipsApiRequest>

Thank you amigodave...that worked great. 

So now I can structure the call to update the status from "Disabled" to "Known" but how do I go about deleting the "Reason Disabled" attribute from the end point? 

Does the following sound like a reasonable approach?

1) Move the user via API call to "Disabled" and reason for Disabled = RIAA. This allows me to move the device to the RIAA role.

2) Once the user meets University policy to re-enable network access move the device from "Disabled" to "Unknown". This clears the RIAA attribute from the endpoint.

3) Once the user connects their device to the network Clearpass moves them from "Unknown" to "Known" and we start again...

If that sounds reasonable then I'm all good.

Thanks,

David 

When writing the endpoint, I believe all the tags that are specified in the API call will replace all of the tags that are stored with the endpoint.

That means:

• To delete an attribute, don't send it when you update the endpoint
• To keep an attribute, send it unmodified when you update the endpoint
• To modify an attribute, send the new value when you update the endpoint
• To add a new attribute, include it when you update the endpoint

Your approach sounds like it would work provided you don't have policy that prevents unknown endpoints from accessing the network.

Is there a way to specify in the call the "action". We have been looking at using XML API calls to add information to the endpoint database, but we need a "merge" or "add" action that doesn't replace existing attributes (other than the ones specified).

Unfortunately, the "write" action is the only one available at present, and it performs a destructive replace.  Use the algorithm outlined above to merge or modify.

Can anyone recommend a tool/library for making API calls to clearpass.

My goal is simple to update the password on a guest user on a routine basis.

I have a background in scripting but have never had to work with an XML API so just figuring out where to start. Ideally a linux based tool, if not what is the MS option?

Please take a look our our API Guide.....

ClearPass API Technical Document

I read this document before posting. 

There is no mention of a tool or library that can be used for making the API calls.

Aurba does not publish any tool to use the API. There are plenty of third party web tools all ready out there. We just provide the doc to explain the different API calls. 

Good grief, the request was very clearly for any tool, not an Aruba published tool. 

For anyone reading this later who needs an actual answer its "wget or curl"

---

@amigodave wrote:

When writing the endpoint, I believe all the tags that are specified in the API call will replace all of the tags that are stored with the endpoint.

 

That means:

 

• To delete an attribute, don't send it when you update the endpoint
• To keep an attribute, send it unmodified when you update the endpoint
• To modify an attribute, send the new value when you update the endpoint
• To add a new attribute, include it when you update the endpoint

Your approach sounds like it would work provided you don't have policy that prevents unknown endpoints from accessing the network.

---

The method for deleting the attribute (Tag) does not work for 6.4.

Is there another method ?

I will add my voice to this. We are trying to modify, add and delete "Disabled Reason"-attributes

Deleting an attribute does not work - they are simply not removed even though they are not included in the requqest. We're using 6.4 as well. 

This matter is urgent. Can anyone shed light on the issue?

Confirmed with TAC this is not possible, but may be fixed in a future version Clearpass.