Security

Hi,

For context, I use ClearPass Guest 6.7.8.109113.

I am trying to manage guests account via REST API.

Almost everything works as expected but I gt an issue with guest's password :

 - if I submit it at account creation (POST request), it is not taken and the guest does not get a password ;

 - if I update (PATCH request) the account, the existing password is simply deleted.

In both cases I got HTTP 200 returned. An examle is following.

I don't know if I missed something, but if you have clues I gladely take them.

Regards.

Example :

JSON submitted for POST request on

https://clearpass.myplace.com/api/guest

{
"do_expire": 1,
"create_time": null,
"current_state": null,
"email": "mail@example.com",
"enabled": true,
"expire_time": 1580597999,
"id": null,
"mac": null,
"notes": "No note",
"password": "9xdc2vuz",
"role_id": 2,
"simultaneous_use": 5,
"sponsor_email": "sponsor-mail@example.net",
"sponsor_name": "Sponsor",
"start_time": 1580488657,
"username": "testUsername",
"visitor_company": "Company",
"visitor_name": "Visitor name"
}

=> returns HTTP 200

=> In Guests / Manage guests :

If I reset the password in tis interface :

Then the password become visible (and printable on receipt which was not before) :

Then if I PATCH via the API with this JSON submitted to

https://clearpass.myplace.com/api/guest/3077

{"password":"yop10yop"}

=> It returns HTTP 200

And if I go back to the web interface, the account does not have a password anymore

I have had this API working. I think the following should work. I believe username and possibly sponsor_name are expected to be email addresses. 

{
"visitor_name": "Visitor name",
"username": "mail@example.com",
"sponsor_name": "sponsor-mail@example.net",
"expire_time": 1580597999,
"do_expire": 1,
"enabled": true,
"role_id": 2,
"password": "9xdc2vuz"
}

What you are seeing is expected behavior.  We do not default to allowing you to see existing passwords.  You can only see passwords when they were just generated (or about to be generated in Reset).

If you want to see passwords you need Password Display: set within Configuration > Guest Manager, and the Operator Profile being used needs Guest Manager > View Passwords.  We generally do not recommend these, though it does ahve use in some specific cases.  If any workflow allows people to write or change their own passwords you really do not want this on.

Hi, thank you for your answer.

First, I forgot to say that the profile used has the right to read password fields (which I definitely wants, and nobody can change/choose its password).

But even with that, I am neither able to display passwords, nor send receipts wih passwords on them (and this is the most important). 

Did I forget anything in configuration ?

Regards.

If you want to see passwords you need Password Display: set within Configuration > Guest Manager.

Thank you so much !

I missed this tick box.

Regards.

Thank you for your answer.

But it did not work password is still unaccessible, behavior is the same.

Regards.