Security

last person joined: 14 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass REST API 6.5 usage

This thread has been viewed 1 times

  • 1.  Clearpass REST API 6.5 usage

    Posted May 26, 2016 09:22 PM

    Hello,

     

    I'm trying to use the XML API to update a StaticHostList, and running into an error that I'm not sure how to interpret.  Here's the initial Request, retrieved using "https://clearpass/tipsapi/config/read/StaticHostList":

    <TipsApiResponse xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Thu May 26 16:59:31 PDT 2016" version="6.5"/>
  <StatusCode>Success</StatusCode>
  <StaticHostLists>
    <StaticHostList description="MAC Addresses of devices violating security policy or other" name="quarantined devices" memberType="MACAddress" memberFormat="list" members="01:23:45:67:89:ab"/>
    <StaticHostList description="" name="test" memberType="MACAddress" memberFormat="list" members="12:34:56:78:90:ab, 00:11:22:33:44:55, aa:bb:cc:dd:ee:ff"/>
  </StaticHostLists>
</TipsApiResponse>

    So, then I manipulate the StaticHostList entry that matches the name "test", to remove one of the entries.  When that's done, I post the following to "https://clearpass/tipsapi/config/write/StaticHostList":

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsApiRequest xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader version="6.5"/>
<StaticHostLists>
<StaticHostList xmlns="http://www.avendasys.com/tipsapiDefs/1.0" description="" name="test" memberType="MACAddress" memberFormat="list" members="12:34:56:78:90:ab, aa:bb:cc:dd:ee:ff"/>
</StaticHostLists>
</TipsApiRequest>

    But, this throws an error:

    <TipsApiResponse xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Thu May 26 16:59:32 PDT 2016" version="6.5"/>
  <StatusCode>Failure</StatusCode>
  <TipsApiError>
    <ErrorCode>InvalidXml</ErrorCode>
    <Message>Error at: [lineNumber: 6, columnNumber: 19]</Message>
    <Message> Element 'StaticHostLists' cannot have character [children], because the type's content type is element-only.</Message>
  </TipsApiError>
</TipsApiResponse>

    Can someone help me properly form this POST to remove the entry?  I understand from an old post I found that elements like StaticHostList were such that you have to replace the entire entry.  But, that code was using version 3.0.  I've tried to consult the docs, but there aren't any relevent examples.  The XML I'm posting is virtually the same as what I understand the format is if I were to upload an XML through the GUI.

     

    Thanks



  • 2.  RE: Clearpass REST API 6.5 usage

    Posted May 28, 2016 09:24 AM

    Can I suggest that it will be a better investment of your time and easier to implement and support if you do this through the RESTful API's. Find the interface at https://IP@/api-docs/   or https://IP@/api-docs/Identity-v1

     

     



  • 3.  RE: Clearpass REST API 6.5 usage

    Posted May 31, 2016 02:22 PM

    Um, I wish.  I found those docs, but they don't seem to cover the case of updating a StaticHostList.  If you can point me to the doc that's more specific to StaticHostLists, I'd appreciate it.



  • 4.  RE: Clearpass REST API 6.5 usage

    EMPLOYEE
    Posted Jun 06, 2016 03:20 AM

    If you can upgrade to ClearPass 6.6, the StaticHostList management has been added in that version:

    2016-06-06 09_17_39-API Explorer - Identity-v1.png



  • 5.  RE: Clearpass REST API 6.5 usage

    Posted Oct 19, 2016 06:12 PM

    We were finally able to upgrade.  I'm getting close to having this figured out, but I think I'm missing a step.  In the PDF at https://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/20924/1/Using%20the%20ClearPass%20HTTP%20APIs.pdf I'm trying to follow the steps to use the "client_credentials" grant_type.  I have a python script that can get an access token now.  I've updated the header to include the "Authorization: Bearer <token>" and "Accept: application/json" bits, and I can get the /api/oauth/privileges output, but when trying to get https://url/api/static-host-list I get Access Denied.  Step 3 of the document says to create a local user, but nothing else I'm reading says to send anymore credentials other than the new header.  Here's some snippets:

     

    1. The initial post to get a token:

    #!/usr/local/bin/python2.7

import requests
import json
import sys
import time

url = 'https://myclearpassserver';

s = requests.Session()

payload = {"grant_type": "client_credentials", "client_id": "myapi_access", "client_secret": "the-secret"}
s.headers.update ({"Content-Type": "application/json"})

response = s.post(url + '/api/oauth', verify=True, json=payload)

x = json.loads(response.content)

token = x['access_token']

s.headers.update ({"Authorization": "Bearer " + token, "Accept": "application/json"})

getStaticHostList = s.get(url + '/api/static-host-list', verify=True)

     When I print getStaticHostList.content, I get:

     

    {"type":"http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html","title":"Forbidden","status":403,"detail":"Access denied"}

     

    The printed header looks OK:

    {'Accept': 'application/json', 'Connection': 'keep-alive', 'Accept-Encoding': 'gzip, deflate', 'Authorization': u'Bearer somelongtokenstring', 'User-Agent': 'python-requests/2.7.0 CPython/2.7.10 Linux/2.6.32-642.el6.x86_64'}

     

    Any suggestions?