Security

The REST API seems easy enough to get working (with the Clearpass REST APIs technote that is) but where the old API was pretty straightforward to do a CoA (basically a single 'command' referencing the MAC address and the COA enforcement profile) this isn't as clear with the new /api-docs interface.

 

Has anyone done a CoA yet with the REST API?

Or should I save myself the trouble and just use the old way? Any reasons to not use the old way?

I was able to do it by:

Find the ActiveSession for the MAC address in question (/api/session/)

Then use ActiveSessionDisconnect (/api/session/<sessionID>/disconnect)

 

Hope this helps point you in the right direction.

---

@wifidownunder wrote:

I was able to do it by:

Find the ActiveSession for the MAC address in question (/api/session/)

Then use ActiveSessionDisconnect (/api/session/<sessionID>/disconnect)

 

Hope this helps point you in the right direction.

---

 

Thanks. I found that too, but can't get it to work. Guess I was also hoping for something a little more streamlined like the old API.

 

The old API I have working by pushing a CoA with a mac-address and the new role in one API call.

 

With the new API I have to...

- look up the sessionid for a mac -address (among a list of all his sessionids')

- push a reauth profile that changrs the roll of the active session

 

My problems with this:

- looking up the session I can't seem to filter on {"acctstoptime": null} to get only the active sessionid. I get a "detail": "Parameter validation failed" 

- when I try a simple /session/{id}/disconnect, I get a 400 Bad Request error:

 

{
  "result": {
    "error": 1,
    "message": "{\"content\": {\"cnc_actions\": [{\"status_message\": \"Query - No MAC address record found\", \"id\": 1}]}, \"id\": \"R00000026-01-59f1ade9\", \"name\": \"cnc_response\"}"
  },
  "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
  "title": "Bad Request",
  "status": 400,
  "detail": "Error disconnecting session for user 002682d2427e. Please check ClearPass Policy Manager > Monitoring > Live Monitoring > Access Tracker for more details."
}

- when I try to request the possible Coa

 

 

{
  "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
  "title": "Bad Request",
  "status": 400,
  "detail": "No applicable CoA templates found"
}

- when I try to push [Aruba Terminate Session] as the reauthorize_profile, I also get a 400 Bad Request

 

 

 

{
  "result": {
    "error": 1,
    "message": "Session reauth failed (0). Please check ClearPass Policy Manager > Monitoring > Live Monitoring > Access Tracker for more details"
  },
  "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
  "title": "Bad Request",
  "status": 400,
  "detail": "Error reauthorizing session for user 002682d2427e. Please check ClearPass Policy Manager > Monitoring > Live Monitoring > Access Tracker for more details."
}

 

You will understand I'm starting to lean towards giving up on the REST API and simply using the good old stuff :)

I suggest you open a TAC case , I been having issues getting API CoA to work.

I didn’t get a chance to open a case.

Get Outlook for iOS

Got it to work with some help fom Tim Cappalli. Thanks Tim!

Works as explained by wifidownunder. Here's some more detail.

 

STEP 1

First find the active session

 ActiveSession 

GET /session

filter for the active session of a certain mac address:

 

{"mac_address": "002682d2427e","acctstoptime": {"$exists":false}}

 This gives you the sessionid of the active session for said mac address.

 

STEP 2

Use this sessionid to

- either terminate the session:

 

 ActiveSessionDisconnect

POST /session/{id}/disconnect

body:

 

{
  "confirm_disconnect": true
}

 

 - or find available coa profiles (if not the correct response here, that indicates : is feedback for the back-end something is wrong)

ActiveSessionReauthorize

GET /session/{id}/reauthorize

 

STEP 3

push a new user-role:

ActiveSessionReauthorize

POST /session/{id}/reauthorize

body:

{
  "confirm_reauthorize": true,
  "reauthorize_profile": "Aruba CoA user-role authenticated"
}

 

My issue with "detail": "No applicable CoA templates found" was because for unknow reasons tha csession didn't allow CoA. kicking the client of and having it reconnect resolved the issue.

Step 2 makes sure that someone in the backend knows something went wrong.. pretty important, so don't skip on it.

 

And if you are wondering (like me) how the heck you are supposed to figure out the {"$exists":false} for example.

Try clicking on "More about JSON filter expressions", and you'll get the following.

A filter is specified as a JSON object, where the properties of the object specify the type of query to be performed.

Description	JSON Filter Syntax
No filter, matches everything	{}
Field is equal to "value"	{"fieldName":"value"}
{"fieldName":{"$eq":"value"}}
Field is one of a list of values	{"fieldName":["value1", "value2"]}
{"fieldName":{"$in":["value1", "value2"]}}
Field is not one of a list of values	{"fieldName":{"$nin":["value1", "value2"]}}
Field contains a substring "value"	{"fieldName":{"$contains":"value"}}
Field is not equal to "value"	{"fieldName":{"$ne":"value"}}
Field is greater than "value"	{"fieldName":{"$gt":"value"}}
Field is greater than or equal to "value"	{"fieldName":{"$gte":"value"}}
Field is less than "value"	{"fieldName":{"$lt":"value"}}
Field is less than or equal to "value"	{"fieldName":{"$lte":"value"}}
Field matches a regular expression (case-sensitive)	{"fieldName":{"$regex":"regex"}}
Field matches a regular expression (case-insensitive)	{"fieldName":{"$regex":"regex", "$options":"i"}}
Field exists (does not contain a null value)	{"fieldName":{"$exists":true}}
Field is NULL	{"fieldName":{"$exists":false}}
Combining filter expressions with AND	{"$and":[ filter1, filter2, ... ]}
Combining filter expressions with OR	{"$or":[ filter1, filter2, ... ]}
Inverting a filter expression	{"$not":{ filter }}
Field is greater than or equal to 2 and less than 5	{"fieldName":{"$gte":2, "$lt":5}}
{"$and":[ {"fieldName":{"$gte":2}}, {"fieldName":{"$lt":5}} ]}