Wireless Access

Contributor I

Controller XML-API Blacklist User

I'm looking to use the controll XML-API to blacklist a device based on MAC address. The documentation states IP address is required when blacklisting a user, but that doesn't jive with the CLI command (stm add-blacklist-client [MAC]). Blacklisting via IP address won't work for us as there are instances a client will not be connected and thus not have an IP address. How can I blacklist a MAC address via API?

Guru Elite

Re: Controller XML-API Blacklist User

Unfortunately, the ip address is required and won't work without it.  http://www.arubanetworks.com/techdocs/ArubaOS_81_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/XML_API/XML_Request.htm%3FTocPath%3DArubaOS%2520User%2520Guide%7CExternal%2520User%2520Management%7C_____3

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos

Re: Controller XML-API Blacklist User

hi codemode


You have a few alternative options. One is to use the syslog parser (see ESI Syslog parser in the docs). It has the ability to blacklist based on mac, as long as you can format a 'syslog' message to send to the controller - not any more work than setting up an xml message. This is the only option in this post that would be considered to be 'supported'.


The second, which is a bit more advanced, is to use a libCURL based script to authenticate to the same interface that the controller webUI uses and inject the CLI command as the webUI would.


The third, which is not recommended for live systems, is to interact with the CLI over ssh. There are various reasons why that is not as good an idea as the above two, so I would focus on one of them instead.




Contributor I

Re: Controller XML-API Blacklist User

Can you speak more to the ESI option? I read through the docs, but I'm not a controller guy - I'm more on the Clearpass/scripting side of things.

Re: Controller XML-API Blacklist User

apologies for the delay, was out of office. the syslog parser will take a message like

2017-09-10  something user=xyz mac=00:11:22:33:44:55 blah


where the mac can be matched using something like



then you can write an ESI parser rule which does

match mac "mac=(\S+)" set blacklist


this is a fairly simplified and incomplete example, it of course relies on the fact you have some device able to generate the actual message (in a format you desire)




Search Airheads
Showing results for 
Search instead for 
Did you mean: