Security

Hi,

I have a number of Clearpass appliances in different parts of the world with sometimes questionable WAN connectivity. Therefore from time to time, a subscriber will go offline, and therefore be kicked from the cluster.

My issue is that I need to notify IT staff when this happens. How can this be accomplished?

I would prefer to have our monitoring tool look at the publisher via snmp and when the number of online subscribers falls below a certain number it can send an alert.

However looking at the MIBS and using a SNMP walker I cannot seem to find an OID that provides this information.

Do anyone have any insight to this, or have an alternative way to monitor this?

Thanks.

 This is 6.5 code file, not sure if it help but you can try.
cppmClusterOutOfSyncMinutes OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"
This object represents the number of mimutes since the node is
out of synchronization with ClearPass cluster

cppmNumClusterNodes OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Total number of nodes in the ClearPass cluster"
::= { cppmSystemTableEntry 7 }

Hi Pavan

That seems like what I need.

Thank you so much.

Martin,

/cluster/server REST API might be a better option; here is the body-response for one of my subscribers in my cluster, data like last replication time, replication_status might provide better context.

{
        "name": "cppm162",
        "local_server": false,
        "server_uuid": "db7bc428-23a8-48e6-8425-dcda7e08eef2",
        "server_dns_name": "cppm162",
        "fqdn": null,
        "server_ip": null,
        "management_ip": "10.2.100.162",
        "ipv6_server_ip": "",
        "ipv6_management_ip": "",
        "is_master": false,
        "extras": null,
        "is_insight_enabled": false,
        "is_insight_master": false,
        "replication_status": "ENABLED",
        "last_replication_timestamp": "2020-05-13 16:35:19-07",
        "is_profiler_enabled": true,
        "_links": {
          "self": {
            "href": "https://10.2.100.161/api/cluster/server/db7bc428-23a8-48e6-8425-dcda7e08eef2"
          }

. Data 

Hi Danny,

That looks very promising. I will go ahead and test it out, and give feedback here. If this works you are an absolute hero.

Hi Danny,

I'm afraid I have some trouble getting communication with the REST API.

Im on 6.7.12 at the moment. Planning on 6.8 in near future.

First question: Should I be able to use basic authentication or do I need oauth2?

Second: How do I get the string ID of each controller? In your example you seem to request using an ID, but when I try to get for instance https://servername/api/cluster/server I get a 403 even using and admin account and basic authentication.

I tried to use oauth2 but this seem to only work with the guest portal? The guide I found mentions API administration, but I do not have this option in the tips, only in the guest portal. (And I dont want to control anything in the guest portal)

Third: Some documents mention the API /tipsapi instead of just /api

Hope you can push me in the right direction, I really appreciate the help.

Thanks.

Hi Martin,

If you want, check this ClearPass API Guide https://www.slideshare.net/ArubaNetworks/emea-airheads-getting-started-with-the-clearpass-rest-api-cppm or if you prefer a video format check this session to better understand ClearPass APIs https://www.brighttalk.com/webcast/16725/339965/airheads-tech-talks-getting-started-with-the-clearpass-rest-api-cppm

In brief, you need to

1) Create an API CLIENT and get a client_id and client_secret. You assign it an operator profile role that has API access. You control what is allowed for this profile depending on your requirements.  For your requirements, you need at least read access to the platform – servers

2) You then get an access token by accessing https://YOUR_CLEARPASS:443/api/oauth and passing in the needed parameters (Grant Type, Client_ID, CLIENT_SECRET..etc depending on the grant_type you decide to use). For example, for grant_type client_credentials, you can use

{

"grant_type": "client_credentials",

"client_id": "<YOUR_CLIENT_ID>",

"client_secret": "<YOUR_CLIENT_SECRET>"

}

You should get Response Code 200 and get an access token

3) You use this access token to pass it any API call and part of HTTP headers. For example, calling https://<YOUR_CLEARPASS>:443/api/cluster/server

Authorization: Bearer <access_token>

 The data that you need is shown below. This can be easily extracted since it is in JSON format.

Once you have this working from ClearPass, you can then write a code for the same...

Hope you find this useful..

Hi  Ayman,

Thank you so much for taking the time to write this detailed description.

Now its much more clear to me. I thought the Guest portal was only to grant access to the Guest management part of the controller, but it seems this is the way even if I want to extract things about the cluster.

Thank you all for your help on this. I will revert when I have tested this out, hopefully later today.

BR

Martin

Hi Pavan,

I tried walking the controllers using that OID, but its not working. They will return "No such instance"

As far as I can tell from the .my file, these are only descriptions for snmp traps? I'm a beginner in SNMP so sorry for my ignorance.

The other OIDs in the MIB are working fine. Like the info on success or failed RADIUS requests, CPU og mem usage an so.

But no info on the state of the cluster. I can get the number of nodes in the cluster, but that does not change when a node becomes disconnected from the cluster, so its of no help to me.

Thank you for your contribution anyway.