Security

I'm looking for the correct syntax to read the contents of a Clearpass Device Group as well as add a member to an existing group via the API. I have successfully setup API calls to read and write endpoints, but I'm not sure the syntax for Device Groups. Thanks!

Get all device groups:

GET https://{{ClearPass-Base-URL}}/api/network-device-group

 

Get single device group:

GET https://{{ClearPass-Base-URL}}/api/network-device-group/{{device-group-id}}

 

Add device to device group:

PATCH https://{{ClearPass-Base-URL}}/api/network-device-group/{{device-group-id}}

 

{
"value": "100.81.0.11"
}

 

NOTE. This will override the field, so if you are adding a value, you need suck in the old values, and append the new one.

 

Thank you - that pointed me in the right direction. The API URL is actually https://{clearpass-server}/tipsapi/config/read/NadGroup.

 

I was then able to build the XML and apply a filter criteria to get the specific groups I need. Should be relatively simple to build the XML to append to that list and write back to Clearpass. Thanks!

That's the legacy SOAP API. You should use the new RESTful API which is what I posted.

Ok, thanks - hadn't realized the API was updated.

 

Can you point me in the direction of documentation? I tried the URL you sent and it did not work - is there a minimum version for REST API support?

API explorer lives at /api-docs

 

High-level doc here: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=22490

Thanks again, Tim - I'm getting 403 forbidden errors attemptin to just use the API explorer. Shouldn't the base HTTP authentication work for this purpose?

Are you using a browser? It will redirect you to login.

Yes - the redirect occurred and I logged in, but now I'm getting 403 errors using the API explorer. I encountered this issue in the past which had me resorting to the SOAP API.

Screenshot please.

Screenshot please.

Screenshot of the API explorer above. When I navigate to /api-docs, I'm redirected to Clearpass Guest to login, which is successful and then I'm redirected back to the /api-docs URL where I select NetworkDeviceGroup and try the GET method. Screenshot it the result.

Did you create an API client and access token? Take a look at that doc. It
goes over everything.

Did you create an API client and access token? Take a look at that doc. It
goes over everything.

Hi!

I'm relatively new to ClearPass, but we need automation to put and delete Devices to device groups.
I'm writing here, I do not know, where else.

Ich can Add/Delete Endpoints and Devices with CURL/Token.

But Managing Device-Groups is terrible.

I can get/write Groups, but the has to be ALL active Devices at once written via Rest-API. It has to be look like:

curl -s -k --request PATCH         -H "Authorization: Bearer XXXXX"         --url "https://FQDN/api/network-device-group/3019"         --header 'content-type: application/json'          --data '
{
  "value": ", 172.29.231.254, 172.29.227.254, 172.29.229.253, 10.254.8.149, 10.254.8.252, 10.254.8.247, 10.254.8.245, 10.254.8.151, 10.254.8.113, 10.254.8.154, 172.29.36.242,...  10.253.42.112/28"
}
'

So I need ALWAYS put all devices in this list to write the group correctly.

When I write one new device, the gourp is fully new written.

When I want to delete one device, the group has to be leaved before, but I have to write the complete group with all active device IPs.

Is the an easier way to manipulate device groups without GUI? Via GUI this is done one by one, and thats although not usable. We muss import 10/20 devices a day, and althougt delete 10-20 devices a day (when swap one hole location)

We have about 4000 Switches, 6000 WLAN Instant APs and so one. We are a wide spread company in Westfalen Lippe with about 20000 employees.

Thanks in advance!

-------------------------------------------

Original Message:
Sent: Feb 16, 2017 02:23 PM
From: cappalli
Subject: Clearpass API Read/Write Device Groups

API explorer lives at /api-docs

 

High-level doc here: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=22490

This is how it works, and normally when you program the API it's not a big issue to either fetch the existing first, merge and post again; or take your 'source of truth' and compile the full list from there to make sure removed devices are also removed. But I have not heard before such a dynamic network... feels quite unique.

Would it be possible to use more generic definitions in your network devices, like a /16? If you have your switches and APs in the same management subnet IP ranges, you may filter your services based on the media in the radius request (Wired vs Wireless); and for Instant wireless, you could also filter on the Aruba ESSID attribute being present or set to a specific value and put your wired services below that. In that case you would be able to eliminate the maintenance on the device groups ans use generic configuration.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Apr 01, 2026 02:44 AM
From: Network Admin
Subject: Clearpass API Read/Write Device Groups

Hi!

I'm relatively new to ClearPass, but we need automation to put and delete Devices to device groups.
I'm writing here, I do not know, where else.

Ich can Add/Delete Endpoints and Devices with CURL/Token.

But Managing Device-Groups is terrible.

I can get/write Groups, but the has to be ALL active Devices at once written via Rest-API. It has to be look like:

curl -s -k --request PATCH         -H "Authorization: Bearer XXXXX"         --url "https://FQDN/api/network-device-group/3019"         --header 'content-type: application/json'          --data '
{
  "value": ", 172.29.231.254, 172.29.227.254, 172.29.229.253, 10.254.8.149, 10.254.8.252, 10.254.8.247, 10.254.8.245, 10.254.8.151, 10.254.8.113, 10.254.8.154, 172.29.36.242,...  10.253.42.112/28"
}
'

So I need ALWAYS put all devices in this list to write the group correctly.

When I write one new device, the gourp is fully new written.

When I want to delete one device, the group has to be leaved before, but I have to write the complete group with all active device IPs.

Is the an easier way to manipulate device groups without GUI? Via GUI this is done one by one, and thats although not usable. We muss import 10/20 devices a day, and althougt delete 10-20 devices a day (when swap one hole location)

We have about 4000 Switches, 6000 WLAN Instant APs and so one. We are a wide spread company in Westfalen Lippe with about 20000 employees.

Thanks in advance!

Original Message:
Sent: Feb 16, 2017 02:23 PM
From: cappalli
Subject: Clearpass API Read/Write Device Groups

API explorer lives at /api-docs

 

High-level doc here: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=22490

Hi!

Thanks for Reply.

The "dynamic" network is very old and a hardware zoo. We have 3Com, ProCurve (AOS) and change them to Aruba AOS-CX, which is easier to use with ClearPass. So the dynamic is "change old devices". 

Instant APs are easy, because of SSID and a dedicated VLAN or Subnet. Wired and wireless is although divided. The services are at least working fine and nearly well-developed.

Our source of truth is old and fine, but will be changed in the next 3 Years...

For Install/Setup CPPM and put it on switches/wifi we had a company, which sold this to us. But they are not familliar with API and scripting. So I did it (like the last 24 years) on my own. And I have a personal problem with python and pyclearpass, which I am not willing to understand... :-) I use bash, perl and PHP. So curl will do the job.

Thanks again!

Frank from Münster, Germany

-------------------------------------------

Original Message:
Sent: Apr 01, 2026 03:37 AM
From: Herman Robers
Subject: Clearpass API Read/Write Device Groups

This is how it works, and normally when you program the API it's not a big issue to either fetch the existing first, merge and post again; or take your 'source of truth' and compile the full list from there to make sure removed devices are also removed. But I have not heard before such a dynamic network... feels quite unique.

Would it be possible to use more generic definitions in your network devices, like a /16? If you have your switches and APs in the same management subnet IP ranges, you may filter your services based on the media in the radius request (Wired vs Wireless); and for Instant wireless, you could also filter on the Aruba ESSID attribute being present or set to a specific value and put your wired services below that. In that case you would be able to eliminate the maintenance on the device groups ans use generic configuration.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Apr 01, 2026 02:44 AM
From: Network Admin
Subject: Clearpass API Read/Write Device Groups

Hi!

I'm relatively new to ClearPass, but we need automation to put and delete Devices to device groups.
I'm writing here, I do not know, where else.

Ich can Add/Delete Endpoints and Devices with CURL/Token.

But Managing Device-Groups is terrible.

I can get/write Groups, but the has to be ALL active Devices at once written via Rest-API. It has to be look like:

curl -s -k --request PATCH         -H "Authorization: Bearer XXXXX"         --url "https://FQDN/api/network-device-group/3019"         --header 'content-type: application/json'          --data '
{
  "value": ", 172.29.231.254, 172.29.227.254, 172.29.229.253, 10.254.8.149, 10.254.8.252, 10.254.8.247, 10.254.8.245, 10.254.8.151, 10.254.8.113, 10.254.8.154, 172.29.36.242,...  10.253.42.112/28"
}
'

So I need ALWAYS put all devices in this list to write the group correctly.

When I write one new device, the gourp is fully new written.

When I want to delete one device, the group has to be leaved before, but I have to write the complete group with all active device IPs.

Is the an easier way to manipulate device groups without GUI? Via GUI this is done one by one, and thats although not usable. We muss import 10/20 devices a day, and althougt delete 10-20 devices a day (when swap one hole location)

We have about 4000 Switches, 6000 WLAN Instant APs and so one. We are a wide spread company in Westfalen Lippe with about 20000 employees.

Thanks in advance!

Original Message:
Sent: Feb 16, 2017 02:23 PM
From: cappalli
Subject: Clearpass API Read/Write Device Groups

API explorer lives at /api-docs

 

High-level doc here: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=22490