If you have access to AFP:
https://arubapedia.arubanetworks.com/afp/index.php/How-To:_Clearpass_CPPM_API#CoA
Otherwise here's the quote from there:
CoA
Sending a CoA can be achieved using:
curl -k -u "<user>:<password>" -X POST https://<CPPM>/async_netd/cmdctrl/radenfprofile -d
'{"content": {"enf_profile_name": "[Aruba Terminate Session]", "mac_address": "<macaddress without delimiters>"},
"id": 1, "name": "radius_enfprofile_request"}';
curl -k -u "<user>:<password>" -X POST https://<CPPM>/async_netd/cmdctrl/apply_coaprof_clntlist -d
'{"id": 1, "name": "apply_coaprof_clntlist_request", "content": {"macaddr_list" : ["<macaddress without delimiters>", "<macaddress without delimiters>"], "enf_profile_name" : "[Aruba Terminate Session]" } }'
To accomplish a CoA, follow these steps and examples:
1. Ask ClearPass “What can you do with a given MAC address” ?
Send an API request to /async_netd/cmdctrl/query - note the “query” at the end - this is how we know we’re just being asked to advertise capabilities
ashwath@mba-ashwath:/tmp$ curl -k -u 'admin:eTIPS123' -H 'Content-Type: application/json' https://10.2.50.126/async_netd/cmdctrl/query -d '{"content": {"mac_address": "98D6F769D4EA"}, "id": 1, "name": "cnc_query_request"}'
2. ClearPass Response
{"content": {"cnc_capabilities": [{"params": [{"input_required": 0, "type": "String", "name": "Calling-Station-Id", "value": "%{Radius:IETF:Calling-Station-Id}", "id": 31}], "display_name": "Terminate Session", "name": "Terminate-Session-Aruba", "cnc_type": "RADIUS"}, {"params": [{"input_required": 0, "type": "String", "name": "Calling-Station-Id", "value": "%{Radius:IETF:Calling-Station-Id}", "id": 31}, {"input_required": 0, "type": "String", "name": "Filter-Id", "value": "", "id": 11}], "display_name": "Change User Role", "name": "Change-User-Role", "cnc_type": "RADIUS"}, {"params": [{"input_required": 0, "type": "String", "name": "Calling-Station-Id", "value": "%{Radius:IETF:Calling-Station-Id}", "id": 31}], "display_name": "Terminate Session", "name": "Terminate-Session-IETF", "cnc_type": "RADIUS"}, {"params": [{"input_required": 0, "type": "IPv4Address", "name": "Framed-IP-Address", "value": "%{Connection:Client-IP-Address}", "id": 8}, {"input_required": 0, "type": "String", "name": "Filter-Id", "value": "", "id": 11}], "display_name": "Change VPN User Role", "name": "Change-VPN-User-Role", "cnc_type": "RADIUS"}, {"params": [{"input_required": 0, "type": "IPv4Address", "name": "Framed-IP-Address", "value": "%{Connection:Client-IP-Address}", "id": 8}], "display_name": "Generic Change of Authorization", "name": "Generic-CoA-IETF", "cnc_type": "RADIUS"}]}, "id": 1, "name": "cnc_query_response"}
3. Ask ClearPass to execute one of the actions returned in step #2
Send an API request to /async_netd/cmdctrl/request - note the “request” at the end - this is how we know we’re asking ClearPass to take an action
ashwath@mba-ashwath:/tmp$ curl -k -v -u 'admin:eTIPS123' -H 'Content-Type: application/json' http://10.2.50.126/async_netd/cmdctrl/request -d '{"id": 1, "name": "cnc_request", "content": {"mac_address": "B88D120EB41E", "cnc_actions" : [{"id" : 1, "name" : "Terminate-Session-Aruba", "display_name" : "Terminate Session", "type" : "RADIUS", "params" : [{"name": "Calling-Station-Id", "value":"98D6F769D4EA"}] }] } }'
4. ClearPass Response
{"content": {"cnc_actions": [{"status_message": "Radius Terminate Session successful for client B88D120EB41E", "id": 1}]}, "id": 1, "name": "cnc_response"}
This is just one sequence of events - however, it’s very indicative of how the API works.
The same can be done with usernames instead of MAC addresses. In the query request, send “username”:”bob” instead of “mac_address”:”00-11-22-33-44-55”