Wireless Access

last person joined: 18 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Controller XML-API Blacklist User

This thread has been viewed 2 times

  • 1.  Controller XML-API Blacklist User

    Posted Sep 13, 2017 10:46 AM

    I'm looking to use the controll XML-API to blacklist a device based on MAC address. The documentation states IP address is required when blacklisting a user, but that doesn't jive with the CLI command (stm add-blacklist-client [MAC]). Blacklisting via IP address won't work for us as there are instances a client will not be connected and thus not have an IP address. How can I blacklist a MAC address via API?



  • 2.  RE: Controller XML-API Blacklist User

    EMPLOYEE


  • 3.  RE: Controller XML-API Blacklist User

    Posted Sep 17, 2017 09:08 PM

    hi codemode

     

    You have a few alternative options. One is to use the syslog parser (see ESI Syslog parser in the docs). It has the ability to blacklist based on mac, as long as you can format a 'syslog' message to send to the controller - not any more work than setting up an xml message. This is the only option in this post that would be considered to be 'supported'.

     

    The second, which is a bit more advanced, is to use a libCURL based script to authenticate to the same interface that the controller webUI uses and inject the CLI command as the webUI would.

     

    The third, which is not recommended for live systems, is to interact with the CLI over ssh. There are various reasons why that is not as good an idea as the above two, so I would focus on one of them instead.

     

    hth.

     



  • 4.  RE: Controller XML-API Blacklist User

    Posted Sep 18, 2017 08:48 AM

    Can you speak more to the ESI option? I read through the docs, but I'm not a controller guy - I'm more on the Clearpass/scripting side of things.



  • 5.  RE: Controller XML-API Blacklist User

    Posted Sep 21, 2017 10:46 AM

    apologies for the delay, was out of office. the syslog parser will take a message like

    2017-09-10  something user=xyz mac=00:11:22:33:44:55 blah

     

    where the mac can be matched using something like

    mac=(\S+)

     

    then you can write an ESI parser rule which does

    match mac "mac=(\S+)" set blacklist

     

    this is a fairly simplified and incomplete example, it of course relies on the fact you have some device able to generate the actual message (in a format you desire)