Security

Hi,

I have recently started to implement the ClearPass API and i am having an issue that the response body is not always the same as the documentation.

I have checked documentation both here https://developer.arubanetworks.com/cppm/reference/ and the API Explorer/api-docs directly in ClearPass.
I have tried across multiple ClearPass versions (6.10.7, 6.11.1, 6.11.13 and 6.12.4) with the same results. There are more available API endpoints in later versions 6.12 > 6.11 > 6.10, but all of them seem to be missing the secrets in response body. 

I am using an API client with:
Operating Mode = ClearPass REST API - Client will be used for API calls to ClearPass
Operator Profile = Super Administrator
Grant Type = Client credentials (grant_type=client_credentials)

API Endpoints where the response body contains secrets:
/api/auth-source (As expected)
/api/local-user (As expected, though only password hash)

API Endpoints where the response body does not contain secrets:
/api/network-device (expect "radius_secret": "string" and "tacacs_secret": "string". I receive enpty strings ie. "radius_secret": "")
/api/api-client (expect "client_secret": "string". I receive enpty strings ie. "client_secret": "")
/api/device (expect "password": "string". "password" is not even returned, i do get "no_password": "1")

Im wondering if I am doing something wrong or if this is an error on the ClearPass side.

My highest priority is the RADIUS/TACACS PSK in /api/network-device

If anyone is using the API and is able to fetch secrets, please let me know what i am doing wrong :)

Hi Mathias.

The shared secrets are write only, so you wont be able to get them from the API. This is the same with Guests and Devices.

The way i had to do it for automating shared secrets, is with web scraping and automating the export via the GUI the programmatically go through the XML. 

For Guest users and devices there is no way to automate this. Even if you go into the SQL database directly, the password is hashed - Only way to migrate users for example is with the guest DB backup option which you can import elsewhere but still cannot view or read the guest and device passwords.

Hi,

I have recently started to implement the ClearPass API and i am having an issue that the response body is not always the same as the documentation.

I have checked documentation both here https://developer.arubanetworks.com/cppm/reference/ and the API Explorer/api-docs directly in ClearPass.
I have tried across multiple ClearPass versions (6.10.7, 6.11.1, 6.11.13 and 6.12.4) with the same results. There are more available API endpoints in later versions 6.12 > 6.11 > 6.10, but all of them seem to be missing the secrets in response body. 

I am using an API client with:
Operating Mode = ClearPass REST API - Client will be used for API calls to ClearPass
Operator Profile = Super Administrator
Grant Type = Client credentials (grant_type=client_credentials)

API Endpoints where the response body contains secrets:
/api/auth-source (As expected)
/api/local-user (As expected, though only password hash)

API Endpoints where the response body does not contain secrets:
/api/network-device (expect "radius_secret": "string" and "tacacs_secret": "string". I receive enpty strings ie. "radius_secret": "")
/api/api-client (expect "client_secret": "string". I receive enpty strings ie. "client_secret": "")
/api/device (expect "password": "string". "password" is not even returned, i do get "no_password": "1")

Im wondering if I am doing something wrong or if this is an error on the ClearPass side.

My highest priority is the RADIUS/TACACS PSK in /api/network-device

If anyone is using the API and is able to fetch secrets, please let me know what i am doing wrong :)