Security

Hi,

I'm trying to access the Clearpass XML API to retrieve information about Endpoints.

I'm trying to use the following python 3 script:

import urllib.request
import xml.etree

theurl = 'http://<server>/tipsapi/config/read/Endpoint'
username = '<user>
password = '<secret>'

xml_string = '''
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsApiRequest xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader version="3.0" source="Endpoint"/>
<Filter entity="Endpoint">
<Criteria fieldName="macAddress" filterString="a82066166659" match="equals" />
</Filter>
</TipsApiRequest>
'''

passman = urllib.request.HTTPPasswordMgrWithDefaultRealm()
# this creates a password manager

passman.add_password(None, theurl, username, password)
# Because with have put None at the start it will always
# use this username/password combination for urls
# for which 'theurl' is a super-urllib

authhandler = urllib.request.HTTPBasicAuthHandler(passman)
# create the authhandler

opener = urllib.request.build_opener(authhandler)

urllib.request.install_opener(opener)
# All calls to urllib.urlopen will now use our handler
# Make sure not to include the protocol in the URL, or
# HTTPPasswordMgrWithDefaultRealm will be very confused.
# You must (of course) use it when fetching the page though.

xml_string = xml_string.encode('utf-8')

req = urllib.request.Request(theurl)
req.add_header("Content-Type", "application/xml")

pagehandle = urllib.request.urlopen(req, xml_string)
# authentication automatically handled for username

print(pagehandle.read().decode('utf-8'))

The script runs, but returns a list of all endpoints, not just the one I'm searching for.

It's either a python 3 issue, or a filter issue, I can't determine which.

Thanks in advance.

-Neil

Well it was a python 3 issue:

Here is the working script:

import urllib.request
import urllib.parse

theurl = 'https://<SERVER>/tipsapi/config/read/Endpoint'
username = '<username>'
password = '<password>'

# Note: no return after ''' or you will have issues.

xml_string = '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsApiRequest xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader version="6.4" source="Endpoint"/>
<Filter entity="Endpoint">
<Criteria fieldName="macAddress" filterString="a82066166659" match="equals"/>
</Filter>
</TipsApiRequest>'''

passman = urllib.request.HTTPPasswordMgrWithDefaultRealm()

# this creates a password manager

passman.add_password(None, theurl, username, password)\

# Because with have put None at the start it will always
# use this username/password combination for urls
# for which 'theurl' is a super-urllib

authhandler = urllib.request.HTTPBasicAuthHandler(passman)
# create the authhandler

opener = urllib.request.build_opener(authhandler)

urllib.request.install_opener(opener)
# All calls to urllib.urlopen will now use our handler
# Make sure not to include the protocol in the URL, or
# HTTPPasswordMgrWithDefaultRealm will be very confused.
# You must (of course) use it when fetching the page though.

data = xml_string.encode('utf-8')

# Convert Python3 String to Bytes

req = urllib.request.Request(theurl, data)
req.add_header("Content-Type","application/x-www-form-urlencoded;charset=utf-8")

pagehandle = urllib.request.urlopen(req)
# authentication automatically handled for username

print(pagehandle.read().decode('utf-8'))

# print results

Attached are three python 3 CGI scripts to enable, disable, and find disabled  hosts using the clearpass XMI API.

They're pretty crude, but enough for a proof of concept.

Enjoy.

Attachment(s)

clrpassenableclient.py.txt   4 KB 1 version

clrpassfinddisabled.py.txt   2 KB 1 version

clrpassdisableclient.py.txt   4 KB 1 version