External User Management. Aruba M3MK1, 7024, 7240, 620, 7280, 650, ArubaOS 6.5.3.x, 3200

Chapter 44

External User Management

This chapter introduces the ArubaOS XML API interface and briefly discusses how you can use simple API calls to perform external user management tasks. Sample scripts are listed at the end of the chapter to help you get started with using the XML API.

Topics in this chapter include: n n n n n

Overview on page 1080

How the ArubaOS XML API Works on page 1080

Creating an XML Request on page 1080

XML Response on page 1083

Sample Scripts on page 1091

Overview

ArubaOS allows you to set up customized external captive portal user management using its native XML API interface. The XML API interface allows you to create and execute user management operations on behalf of the clients or users. You can use the XML API interface to add, delete, authenticate, blacklist, query, or log out a user.

Before you Begin

n n

Enable the External Services Interface software module. This is available in the PEFNG license.

Ensure that you have connectivity between your XML API server and the controllers via HTTPS.

How the ArubaOS XML API Works

The typical interaction between your XML API server and the controller happens using an HTTPS POST command. A typical communication process using the XML API interface happens as follows:

1. An API command is issued from your server in XML format to the controller. The XML request can be composed using a language of your choice using the format described in the

Creating an XML Request on page 1080 . Sample scripts are available in Python or Bourne Shell, using cURL to generate the HTTPS POST

command. See the

Sample Scripts on page 1091 .

2. The XML request is sent using an HTTPS POST command. The common format of the HTTPS POST is https://<controller-ip>/auth/command.xml

. See

Creating an XML Request on page 1080

for more information.

3. The controller processes the XML API request and sends the response to the XML API server. You can use the response and take appropriate action that suits your requirement. The response from the controller is returned using predefined formats. See the

XML Response on page 1083


Creating an XML Request

You can create XML request to add, delete, authenticate, blacklist, query, or logout a user. This section provides

XML request formats that you can use for each task.

ArubaOS 6.5.3.x

| User Guide External User Management | 1080

The XML API functions such as addition, deletion, authentication, blacklisting, querying, and logout have been extended to support IPv6 users in addition to IPv4 users. However, the XML API server must be configured with an

IPv4 address for communication with the controller.

Adding a User

This XML request uses the user_add command to create a new user entry in the controllers user table. If the user entry is already present in the user table, the command will modify the entry with the values defined in the XML request, with an exception of IP and MAC address. Session time-out is only applicable to captive portal users.

xml=<aruba command="user_add">

<ipaddr>IP-address_of_the_user</ipaddr>

<macaddr>MAC-address_of_the_user</macaddr>

<name>User_Name</name>

<role>Role_Name</role>

<session_timeout>Session_timeout</session_timeout>

<key>Shared_Key</key>

<authentication>MD5|SHA-1|cleartext</authentication>

<version>1.0</version>

</aruba>

The following options are mandatory when you execute the user_add command: n n n n n

IP Address

MAC Address (a valid wireless or wired client on the controller)

Key

Authentication

Version

Deleting a User

Do not use the user_delete command if the intention is to clear the association from the controller user table. If the client is dual-stack, it re-inherits the authentication state from the IPv6 address. If not dual-stack, the client reverts to the initial role.

This XML request uses the user_delete command to delete an existing user from the controllers user table.

xml=<aruba command="user_delete">







</aruba>

The following options are mandatory when you execute the user_delete command: n n n n

IP Address

Key

Authentication

Version

Passing the MAC address or username serves only to perform additional validation against the mandatory IP address. For example, if the IP address is 1.2.3.4 and the MAC address passed is 00:11:22:33:44:55 but the real MAC address is 66:77:88:99:aa:bb then the XML request will fail with response code 1, " unknown user " message.

1081 | External User Management ArubaOS 6.5.3.x | User Guide

Authenticating a User

This XML request uses the user_authenticate command to authenticate against the server group defined in the captive portal profile. This is only applicable to captive portal users.

xml=<aruba command="user_authenticate">




<password>Password_for_the_user</password>




</aruba>

The following options are mandatory when you execute the user_authenticate command: n n n n n n

IP Address

Name

Password

Key

Authentication

Version

Passing the MAC address serves only to perform additional validation against the mandatory IP address. For example, if the IP address is 1.2.3.4 and the MAC address passed is 00:11:22:33:44:55 but the real MAC address is

66:77:88:99:aa:bb then the XML request will fail with response code 1, " unknown user " message.

Blacklisting a User

This XML request uses the user_blacklist command to blacklist a user from connecting to your network. This command uses the default blacklist timeout of 3600 seconds. There is no corresponding clear command. You can use the controller CLI to clear the blacklisted clients. Refer the show ap blacklist-clients , stm removeblacklist-client , and stm purge-blacklist-clients commands in the ArubaOS CLI Reference Guide to clear the blacklisted clients.

xml=<aruba command="user_blacklist">







</aruba>

The following options are mandatory when you execute the user_blacklist command: n n n n

IP Address

Key

Authentication

Version


ArubaOS 6.5.3.x


Querying for User Status

This XML request uses the user_query command to get the status and details of a user connected to your network. A dual-stack client can be queried by any of its IPv4 or IPv6 addresses, but only the queried IP address is displayed in the output.

xml=<aruba command="user_query">







</aruba>

The following options are mandatory when you execute the user_query command: n n n n

IP Address

Key

Authentication

Version


Logging Out a User

This XML request uses the user_logout command to revert the user to the initial role. This is only applicable to captive portal users. For dual-stack clients, all user-table entries will be reverted to the initial role.

xml=<aruba command="user_logout">







</aruba> n n

The following options are mandatory when you execute the user_logout command: n n

IP Address

Key

Authentication

Version

XML Response

For every successful XML request the controller will return the processed information as an XML response.

There are two types of responses: Default response and Query response.

Default Response Format

The format of a default XML response from the controller is:

<aruba>

<status>Ok | Error</status>

<code>response_code</code>

<reason>response_message</reason>


</aruba>

In which, n n n the status specifies if the XML response succeeds or fails. If the request succeeds, the status tag will contain the Ok string. If the request fails, the status tag will contain the Error string.

the code is an integer number that represents the error in the request. This tag is populated only if there is an error in the request.

the reason is a message that contains descriptive information about the error.

Response Codes

The following response codes are returned if the XML request returns an Error string.

Table 268: XML Response Codes

Code Reason message

1

2

3 unknown user

The user specified in the XML request does not exist or is incorrect.

If the MAC address or username is specified in the query, the controller restricts the supplied IP address, i.e., the requested user

IP address together with any MAC address and username will not be found.

unknown role

The specified role in the XML request does not exist in the controller.

unknown external agent

Description

Returned by the user_ authenticate , user_delete , user_ blacklist , user_logout , and user_ query commands.

Returned by the user_add command.

4

5 authentication failed

This error string is returned due to an unknown source IP (i.e. not configured as an XML server).

Or,

In case of an user_add command, it is likely to be due to the defaultxml-api AAA profile missing from the AAA authentication wired profile.

Indicates an authentication failure during user_authenticate .

This is only applicable to captive portal users.

—

6

7 invalid command

The XML request contains a command not supported by ArubaOS

XML API interface.

invalid message authentication method

The authentication method specified in the XML request is not supported by the ArubaOS XML API interface.

invalid message digest

Returned by commands that contain the authentication method in the XML request.

This is due to a mismatch in secret between the XML server and the controller XML API profile.

If using non cleartext, this could be an error in the calculation of the hashed secret.

ArubaOS 6.5.3.x


Code

8

9

10

12

13

14

Reason message missing message authentication

The authentication method is not specified in the XML request.

Description

Returned by all commands that require the authentication method in the XML request.

Returned by all commands.

missing or invalid version number

The XML request does not contain the version number or the version number is incorrect.

internal error can't use vlan ip invalid ip

The XML request contains invalid IP address of the user or client.

can't use switch ip

The XML request contains the controllers IP address instead of the client IP address.

—

Indicates the supplied IP matches a

VLAN IP on the controller.

Returned by all commands that required IP address to be specified in the XML request.

Returned by all commands that required IP address to be specified in the XML request.

15

16

17 missing MAC address

The XML request does not contain the MAC address of the user or client.

unsupported command for this user socket failed or timed out waiting for operation to complete

Returned by all commands that required MAC address to be specified in the XML request.

Returned when the requested operation is invalid for the specified user.

Returned when the status of the requested operation is unavailable; usually signifies a socket communication failure or timeout.

Query Command Response Format

The response of the XML request with the user_query command contains detailed information about the status of the user or client.

The status , code and reason values are similar to the default response. The following responses are returned only if the status code returns the Ok string.

Table 269: Query Response Code

Response

Code

Description status Displays the status of the XML response.

code macaddr

Displays the code as an integer number that represents the error in the request. This tag is populated only if there is an error in the request.

Displays the MAC address of the client.


Response

Code ipaddr name role type vlan location age auth_status auth_server auth_method essid bssid phy_type mobility_state in_packets in_octets out_packets out_octets

Description

Displays the IPv4 or IPv6 address of the client.

Displays the hostname of the user or client.

Displays the current role of the authenticated client.

Displays if the client is wired or wireless .

Displays the VLAN ID of the client.

Displays the name of the AP to which the client is associated.

Displays the age of the client in the controller. The age is displayed in DD:HH:MM format

(Day:Hours:Minutes).

Displays the authentication status of the client. Available values are: authenticated or unauthenticated .

Displays the name of the authentication server used for authenticating the client. This information is available only if the client is authenticated by the controller.

Displays the authentication mechanism used to authenticate the client. This information is available only if the client is authenticated by the controller.

Displays the ESSID to which the client is associated.

Displays the BSSID of the AP to which the client is associated.

Displays the physical connection type. Available values are: a , b , g , a-HT , g-HT , and a-

VHT .

Displays the roaming state of the client. Available values are: Wired (Visitor) , Visitor ,

Wired (Away) , Away , Wired (Foreign VLAN) , Foreign VLAN , Wired (Remote) , Associated (Remote) , Wired , and Wireless .

Displays the total number of incoming packets received by the client.

Displays the incoming packets (in bytes) received by the client.

Displays the total number of outgoing packets received by the client.

Displays the outgoing packets (in bytes) received by the client.

Using the XML API Server

Follow the steps below to use the XML API:

1. Configure an XML API server.

2. Associate the XML API server to an appropriate AAA profile.

3. Configure a user role to direct non-authenticated users to the external captive portal server.

4. Configure captive portal profile and associate that to an initial role (example logon ).

5. Create an XML request with the appropriate API call.

6. Process XML response appropriately.

ArubaOS 6.5.3.x


The default logon role of a client or user must have captive-portal enabled.

Configuring the XML API Server

Configure an external XML API server in your AAA infrastructure. In this example, 10.11.12.13 is your server.

The XML API interface on the controller will receive requests from this server.

Define the XML API server and specify the key for verifying requests from your server:

(host) (config) #aaa xml-api server 10.11.12.13

(host) (XML API Server “10.11.12.13”) #key aruba123

Verify the XML API server configuration:

(host) #show aaa xml-api server

XML API Server List

-------------------

Name References Profile Status

----

10.11.12.13

-----------------------

0

Total:1

Associating the XML API Server to a AAA profile

After you define the XML API server profile associate it to the appropriate AAA profile. If the XML API server is not correctly configured in the appropriate profile, the controller will respond with the client not authorized error message. You can add XML API server references to the following AAA profile depending on your requirement:

For wireless users, associate the XML API server to the AAA profile of the virtual AP profile:

(host) (config) #aaa profile wirelessusers

(host) (AAA Profile "wirelessusers") #xml-api-server 10.11.12.13

(host) (AAA Profile "wirelessusers") #exit

(host) (config) #show aaa profile wirelessusers

AAA Profile "wirelessusers"

---------------------------

Parameter

---------

Initial role

MAC Authentication Profile

MAC Authentication Default Role

MAC Authentication Server Group

Value

----logon

N/A guest default

802.1X Authentication Profile N/A

802.1X Authentication Default Role guest

802.1X Authentication Server Group N/A

RADIUS Accounting Server Group N/A

XML API server

RFC 3576 server

User derivation rules

Wired to Wireless Roaming

SIP authentication role

10.11.12.13

N/A

N/A

Enabled

N/A

(host) (config) #wlan virtual-ap wireless-vap

(host) (Virtual AP profile "wireless-vap") #aaa-profile wirelessusers

(host) (AAA Profile "wirelessusers") #exit

(host) (config) #show wlan virtual-ap wireless-vap

Virtual AP profile "wireless-vap"

---------------------------------


Parameter

---------

Virtual AP enable

Allowed band

AAA Profile

Value

-----

Enabled all wirelessusers

802.11K Profile

SSID Profile

VLAN

Forward mode

Deny time range

Mobile IP

HA Discovery on-association

DoS Prevention

Station Blacklisting

Blacklist Time default default

N/A tunnel

N/A

Enabled

Disabled

Disabled

Enabled

3600 sec

Dynamic Multicast Optimization (DMO) Disabled

Dynamic Multicast Optimization (DMO) Threshold 6

Authentication Failure Blacklist Time

Multi Association

3600 sec

Disabled

Strict Compliance

VLAN Mobility

Remote-AP Operation

Drop Broadcast and Unknown Multicast

Disabled

Disabled standard

Disabled

Convert Broadcast ARP requests to unicast

Band Steering

WMM Traffic Management Profile

Enabled

Disabled

N/A

For wired users, associate the XML API server to the AAA profile of the appropriate wired profile:

(host) (config) #aaa profile wiredusers

(host) (AAA Profile "wiredusers") #xml-api-server 10.11.12.13

(host) (AAA Profile "wiredusers") #exit

(host) (config) #aaa authentication wired

(host) (Wired Authentication Profile) #profile wiredusers

(host) (Wired Authentication Profile) #exit

(host) (config) #show aaa authentication wired

Wired Authentication Profile

----------------------------

Parameter

---------

Value

-----

AAA Profile wiredusers

For unknown wired users, associate the XML API server to the default-xml-api AAA profile:

The default-xml-api AAA profile is used only to add or authenticate new users.

The following example illustrates using the default-xml-api AAA profile.

(host) (config) #aaa profile default-xml-api

(host) (AAA Profile "default-xml-api") #xml-api-server 10.11.12.13

(host) (AAA Profile "default-xml-api") #exit

(host) (config) #show aaa profile default-xml-api

AAA Profile "default-xml-api" (Predefined (changed))

----------------------------------------------------

Parameter Value

---------

Initial role

MAC Authentication Profile

----logon

N/A

ArubaOS 6.5.3.x


MAC Authentication Default Role

MAC Authentication Server Group guest default

802.1X Authentication Profile N/A

802.1X Authentication Default Role guest

802.1X Authentication Server Group N/A

RADIUS Accounting Server Group N/A

XML API server

RFC 3576 server

User derivation rules

Wired to Wireless Roaming

SIP authentication role

10.11.12.13

N/A

N/A

Enabled

N/A

Your controller is now ready to receive API calls from your XML API server.

Setting up the Captive Portal Profile

Set up a Captive Portal profile with a login page that will redirect users to the external Captive Portal server.

(host) (config-role) #aaa authentication captive-portal captive-portal-auth

(host) (Captive Portal Authentication Profile "captive-portal-auth") #default-role authenticated

(host) (Captive Portal Authentication Profile "captive-portal-auth") #login-page https://10.11.12.13/cgi-bin/login.pl

(host) (Captive Portal Authentication Profile "captive-portal-auth") #switch-in-redirectionurl

The login-page https://10.11.12.13/cgin-bin/login.pl

is for illustration purposes where the login.pl

is a Perl script on the external server that handles the external captive portal.

Associating the Captive Portal Profile to an Initial Role

(host) (Captive Portal Authentication Profile "captive-portal-auth") #user-role logon

(host) (config-role) #captive-portal captive-portal-auth

(host) (config-role) #session-acl captiveportal

(host) (config-role) #!

You can either create a new ACL or append specific rules to an existing ACLs. To create session ACL for the logon role do the following:

(host) (config) #ip access-list session captiveportal

(host) (config-sess-captiveportal)#user alias xCP svc-https permit

(host) (config-sess-captiveportal)#user alias xCP svc-http permit

(host) (config-sess-captiveportal) #!

(host) (config) #netdestination xCP

(host) (config-dest) #host 10.11.12.13

(host) (config-dest) #!

Creating an XML API Request

You can now create an XML request with an XML API command and send it to the controller via HTTPS POST.

The format of the URL to send the XML request is: https://<controller-ip/auth/command.xml

n n controller-ip : The IP address of the controller that will receive the XML API request command.xml

: The XML request that contains the XML API command.

The format of the XML API request is: xml=<aruba command="<XML API command>">

<options>Value</options>

...


<options>Value</options>

</aruba>

You can specify any of the following commands in the XML request:

Table 270: XML API Command

XML API Command user_add user_delete user_authenticate user_blacklist user_query user_logout

Description

This command creates a new user entry in the controllers user table. If the user entry is already present in the user table, the command will modify the entry with the values defined in the XML request. For an existing user, this command will update any value that is supplied, with an exception of

IP and MAC address. Session time-out is only applicable to captive portal users.

This command deletes an existing user from the controllers user table.

NOTE: Do not use the user_delete command if the intention is to clear the association from the controller user table. If the client is dual-stack, it re-inherits the authentication state from the IPv6 address. If not dualstack, the client reverts to the initial role.

This command authenticates against the server group defined in the captive portal profile. This is only applicable to captive portal users.

This command blacklists a user from connecting to your network. This command uses the default blacklist timeout of 3600 seconds. There is no corresponding clear command. You can use the controller CLI to clear the blacklisted clients. Refer the show ap blacklist-clients , stm removeblacklist-client , and stm purge-blacklist-clients commands in the

ArubaOS CLI Reference Guide to clear the blacklisted clients.

This command fetches the status and details of a user connected to your network. A dual-stack client can be queried by any of its IPv4 or IPv6 addresses, but only the queried IP address is displayed in the output.

This command reverts the user to the initial role. This is only applicable to captive portal users. For dual-stack clients, all user-table entries will be reverted to the initial role.

Each XML API command requires certain mandatory options to successfully execute the task. The list of all available options are:

Table 271: XML API Command Options

Options ipaddr macaddr user role password

Description

IP address of the user in IPv4 or IPv6 format.

MAC address of the user in aa:bb:cc:dd:ee:ff format.

Name of the user.

The role to apply to a newly created user, or change of role for an existing user. This option applies to user_add and user_delete commands only.

The password of the user for authentication.

Range / Defaults

—

Enter MAC address with colon.

64 character string

64 character string

—

ArubaOS 6.5.3.x


Options session_timeout authentication key version

Description

Session time-out in seconds. User will be disconnected after this time.

Authentication method used to authenticate the message and the sender. You can use any of MD5,

SHA-1 or clear text methods of authentication. This option is ignored if shared secret is not configured.

It is, however, mandatory if it is configured.

This is the encoded SHA1/MD5 hash of shared secret or plaintext shared secret.

This option is ignored if shared secret is not configured on the switch.

The actual MD5/SHA-1 hash is 16/20 bytes and consists of binary data. It must be encoded as an

ASCII based HEX string before sending. It must be present when the controller is configured with an xml-api key for the server. Encoded hash length is

32/40 bytes for MD5/SHA-1.

The version of the XML API interface available in the controller. This field is mandatory in all XML API requests.

Range / Defaults

—

—

Current version 1.0

Monitoring External Captive Portal Usage Statistics

To check the external captive portal authentication statistics use the show aaa xml-api statistics command.

This command displays the number of times an authentication command was executed per client. The command also displays the number of times an authentication event occurred and the number of new authentication events that occurred since the last status check.

(host) # show aaa xml-api statistics

Sample Scripts

You can download the sample scripts from support.arubanetworks.com

. Before downloading the scripts, you must read the following disclaimer.

The sample scripts are examples and provided for illustration purposes only. If you plan to use this script in your environment, ensure that the script meets your IT guidelines. By running this script, you acknowledge that Aruba, a

Hewlett Packard Enterprise company is in no way liable for any loss, damage, problems arising from running this script.

The following scripts are available for download:

Python 2.7 Script n

ArubaXMLDemo.py

: This is a Python 2.7 script. This script demonstrates the basic functionality of the XML

API. Using this script, you can send XML requests to add, delete, authenticate, blacklist, query, or log out a user.

Bourne Shell Scripts n n xml_user_add.sh

: This script adds a user using the user_add command.

xml_user_del_or_logout.sh

: The user_delete part of the script deletes an existing user from the controller user table. The user_logout part of the script reverts an existing user to the initial role in the AAA profile.


n xml_user_query.sh

: This script fetches the status and details of a user connected in the network using the user_query command.

The Bourne Shell scripts work on most Unix, Linux, and Mac operating systems. To run on Windows, you can install

Cygwin.

All scripts require cURL to be installed on the XML API server. cURL is an open source command line tool and library for transferring data with URL syntax. You can download cURL from http://curl.haxx.se/download.html

.

XML API using Python 2.7

The information covered in the following section is based on running the ArubaXMLDemo.py

script on a

Windows 8.1 64-bit and Python 2.7.

Understanding Request and Response

The controller processes the XML API request and sends the response to the XML API server. The XML response contains the status of the request and a code in case of an error.

Request format: <script_name> <controller-ip> <secret_key> <command> [options]

Understanding XML API Request Parameters

The

Table 272

lists all parameters that you can use in a request.

Table 272: XML API Request Parameters and Descriptions

Parameter Description script_name controller-ip secret_key

The name of the script executable.

The IP address of the controller that will receive the XML requests.

The password used to validate the authentication request from your authentication server. See

Configuring the XML API Server on page 1087


ArubaOS 6.5.3.x


Parameter command

Options

Description

The XML API command sent to the controller. You can send one of the following commands per request: n use_add : Creates a new user entry in the controllers user table. If the user entry is already present in the user table, the command will modify the entry with the values defined in the XML request. For an existing user, this command will update any value that is supplied, with an exception of IP and MAC address. Session time-out is only applicable to captive portal users.

n n user_delete : Deletes an existing user from the controllers user table.

NOTE: Do not use the user_delete command if the intention is to clear the association from the controller user table. If the client is dual-stack, it re-inherits the authentication state from the IPv6 address. If not dual-stack, the client reverts to the initial role.

user_authenticate : Authenticates against the server group defined in the captive portal profile. This is only applicable to captive portal users.

n user_blacklist : Blacklists a user from connecting to your network. This command uses the default blacklist timeout of 3600 seconds. There is no corresponding clear command. You can use the controller CLI to clear the blacklisted clients. Refer the show ap blacklist-clients , stm remove-blacklist-client , and stm purge-blacklistclients commands in the ArubaOS CLI Reference Guide to clear the blacklisted clients.

n n user_query : Fetches the status and details of a user connected to your network. A dual-stack client can be queried by any of its IPv4 or IPv6 addresses, but only the queried IP address is displayed in the output.

user_logout : Reverts the user to the initial role. This is only applicable to captive portal users. For dual-stack clients, all user-table entries will be reverted to the initial role.

n n n n n n n n n

-i <ip_addr> : Specify the IP address of the user in IPv4 or IPv6 format.

-m <mac_addr> : Specify the MAC address of the user in aa:bb:cc:dd:ee:ff format.

-n <name> : Specify the name of the user.

-p <password> : Specify the password of the user for authentication.

-r role : Specify the role to apply to a newly created user, or change of role for an existing user. This option applies to user_add and user_delete commands only.

-t timeout : Specifies the session time-out in seconds. User will be disconnected after this time.

-v version : Specifies the version of the XML API interface available in the controller.

This field is mandatory is all requests. Default version is 1.0.

-a method : Specifies the encryption method to send the secret key. You can specify

MD5 or SHA-1 or cleartext as the encryption method. By default, cleartext method is used to send the key.

-s sessid : Specifies the active session ID.

Understanding an XML API Response

The response message from the controller is sent in an XML format. The default format of the response is:

[Message header]

Displays the request parameters and other standard header details.

...

...

...

<response>

<status>Status Message</status>

<code>Code in case of an error</code>

</response>

The following section describes few of the XML API requests and responses from the controller.

Adding a User

This XML request uses the user_add command to create a new user entry in the controllers user table.

C:\Python27>python ArubaXMLDemo.py --switch-ip=192.0.2.1 --secret=aruba123 --command=user_add

--ip=192.0.2.2 --mac=a4:e:60:c3:10:59 --role=logon


The command sends the following information in the XML request to the controller: n n n n n n

--switch-ip : IP address of the controller

--secret : Shared secret key (sent as plain text)

--command : XML API command

--ip : IP address of the user

--mac : MAC address of the user

--role : User role

Controller Response

The controller processes using an XML format and sends the following response to the XML API server.

Warning: The specified mac address *must* match the user specified by --ip or the command will fail.

Prepared XML buf

--------------------------------xml=<aruba command="user_add">

<ipaddr>192.0.2.2</ipaddr>

<macaddr>a4:5e:60:c3:10:59</macaddr>

<role>logon</role>

<authentication>cleartext</authentication>

<key>aruba123</key>


</aruba>

---------------------------------

Sending XML request to https://192.0.2.1/auth/command.xml

Controller response status: 200

Response XML

-----------------------------------

<aruba>

<status>Ok</status>

<code>0</code>

</aruba>

-----------------------------------

Controller CLI

You can view the updated details of the user in the controller CLI.

(host) #show user-table

Users

-----

IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming

Essid/Bssid/Phy Profile Forward mode Type Host Name

-------------------------------------------------------- -----

-----------------------------------------

192.0.2.2 a4:5e:60:c3:10:59 logon 00:00:00

User Entries: 1/1

Querying a User

This XML request uses the user_query command to get the status and details of a user connected to your network.

C:\Python27>python ArubaXMLDemo.py --switch-ip=192.0.2.1 --secret=aruba123 --command=user_ query --ip=192.0.2.2

The command sends the following information in the XML request to the controller: n


ArubaOS 6.5.3.x


n n n






Prepared XML buf

--------------------------------xml=<aruba command="user_query">



<key>aruba123</key>


</aruba>

---------------------------------



Response XML

-----------------------------------

<aruba>

<status>Ok</status>

<code>0</code>

<macaddr>a4:5e:60:c3:10:59</macaddr>


<name>John</name>

<role>authenticated</role>

<type>Wireless</type>

<vlan>1034</vlan>

<location>ap225-sales</location>

<age>00:03:51</age>

<auth_status>Authenticated</auth_status>

<auth_server>clearpass-hq1</auth_server>

<auth_method>802.1X</auth_method>

<essid>ethersphere-wpa2</essid>

<bssid>9c:1c:12:92:2e:f1</bssid>

<phy_type>a-VHT-80</phy_type>

<mobility_state>Wireless</mobility_state>

<in_packets>93400</in_packets>

<in_octets>24947332</in_octets>

<out_packets>89042</out_packets>

<out_octets>79397284</out_octets>

</aruba>

Controller CLI

The output of the show user command displays the client information.

(host) #show user

Users

-----

IP MAC

---------------------

192.0.2.2

Name Role

--------a4:5e:60:c3:10:59 John

Age(d:h:m)

---------authenticate 00:03:51

Auth

----

Authenticated

VPN link

--------

Profile Forward mode

------------------

AP name

------ap225-sales

Type Host Name

------------

Roaming Essid/Bssid/Phy

----------------------

Wireless ethersphere-wpa2/9c:1c:12:92:2e:f1/a-VHT-80


User Entries: 1/1

Logging Out a User

This XML request uses the user_logout command to revert the user to the initial role. This is only applicable to captive portal users.

C:\Python27>python ArubaXMLDemo.py --switch-ip=192.0.2.1 --secret=aruba123 --command=user_ logout --ip=192.0.2.2

The command sends the following information in the XML request to the controller: n n n n







Prepared XML buf

--------------------------------xml=<aruba command="user_logout">



<key>aruba123</key>


</aruba>

---------------------------------



Response XML

-----------------------------------

<aruba>

<status>Ok</status>

<code>0</code>

</aruba>

Controller CLI

The output of the show user command displays the client information.

(host) #show user

Users

-----

IP MAC

---------------------

192.0.2.2

Name a4:5e:60:c3:10:59 John

Role

--------initial

AP name

------ap225-sales

Roaming

--------

Wireless

Essid/Bssid/Phy

---------------

Age(d:h:m)

----------

00:00:06

Auth

----

Unauthenticated ethersphere-wpa2/9c:1c:12:92:2e:f1/a-VHT-80

Profile

-------

VPN link

--------

Forward mode

------------

Type Host Name

------------

User Entries: 1/1

ArubaOS 6.5.3.x


External User Management. Aruba M3MK1, 7024, 7240, 620, 7280, 650, ArubaOS 6.5.3.x, 3200

Chapter 44

External User Management

Overview

Before you Begin

How the ArubaOS XML API Works

Creating an XML Request

Adding a User

Deleting a User

Authenticating a User

Blacklisting a User

Querying for User Status

Logging Out a User

XML Response

Default Response Format

Query Command Response Format

Using the XML API Server

Configuring the XML API Server

Associating the XML API Server to a AAA profile

Creating an XML API Request

Monitoring External Captive Portal Usage Statistics

Sample Scripts

XML API using Python 2.7

Related manuals

Table of contents

External User Management. Aruba M3MK1, 7024, 7240, 620, 7280, 650, ArubaOS 6.5.3.x, 3200

Chapter 44