Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
HPE Aruba Networking ClearPass SDK has been developed in Python v3.9 to utilise the full functionality of the HPE Aruba Networking ClearPass REST API environment. Each available REST API command is available for use in this module.
Aruba ClearPass SDK has been developed in Python v3.9 to utilise the full functionality of the HPE Aruba Networking ClearPass REST API environment. Each available REST API command is available for use in this module. All responses from HPE Aruba Networking ClearPass API are in JSON format (converted into a Python dictionary object) and any interactions with the API are logged within the Audit Viewer.
This package has been uploaded to https://pypi.org/ and is also available to install via https://github.com/aruba/pyclearpass. These instructions are also available at https://developer.arubanetworks.com/aruba-cppm/docs/getting-started-with-pyclearpass. Installation instructions and usage instructions are also provided below.
The following describes the available top level functionality of the HPE Aruba Networking ClearPass API available within this Python Package.
This package comes without any warranties and should be used at your own risk.
These steps list what is required on the HPE Aruba Networking ClearPass server:
If you need information, refer to the HPE Aruba Networking ClearPass configuration documentation for the API account - https://developer.arubanetworks.com/aruba-cppm/docs/clearpass-configuration
Ensure Python v3.9 or greater is installed on your operating system
Run the following in a command line terminal to install the pip package - pip3 install pyclearpass
or pip install pyclearpass
. This may vary between Operating Systems.
python3 -m build
or python -m build
. This will create a folder called dist with a file containing a .gz extension.pip3 install pathtozip.gz
or pip install pathtozip.gz
. This may vary between Operating Systems.pip3 install git+https://github.com/aruba/pyclearpass
or pip install git+https://github.com/aruba/pyclearpass
. This may vary between Operating Systems.Within your favourite Python IDE environment, create an import reference
from pyclearpass import *
Create a object to login into ClearPass. The login object needs to be passed to use any function within the ClearPass API.
Two examples below shows how to create the login object (either one can be used, but not both).
login = ClearPassAPILogin(server="https://yourserver.network.local:443/api",granttype="client_credentials",
clientsecret="myclientsecretexample", clientid="myclientidexample", verify_ssl=False)
📘
The login object will contain the APIToken once any function has been used. It obtains it once for the session and uses the same token through the execution of the rest of the script. You can extract this token and reuse it for other sessions if required (login.api_token). The token will only be available for reuse until the lifetime expires which was configured when specifying a new API Client within the ClearPass Guest Module.
login = ClearPassAPILogin(server="https://yourserver.network.local:443/api",api_token="yoursecretapitoken", verify_ssl=False)
Find an API you want to use, by prefixing Api
in your IDE and Intellisense will show the available APIs available. Each of the top level API category names are available as a module. Once you have chosen a specific API module to use, for example ApiPolicyElements, it will show you the available methods if you suffix a . to the command - ApiPolicyElements.
The example below prints a single the roles available within the ClearPass server.
print(ApiPolicyElements.get_role(login))
By default, the example above returns the first 25 roles. To view more, the limit needs to be adjusted. Placing your cursor over the .getRole will usually show you help about the method.
print(ApiPolicyElements.get_role(login, limit=100))
Once you have written a specific API ApiName.FunctionName(
, placing your cursor over the command will show you help for the function and what the required parameters are (example is Visual Studio Code). The first parameter is always login.
You may also read the help for the function by calling help(ApiName.function_name)
.
Each function contains a help section on how to use it.
Once an update is available on the Python PyPi repository, you may upgrade your release by completing the following in a command line terminal -
pip3 install pyclearpass --upgrade
or
pip install pyclearpass --upgrade
To install a specific version, execute the following command with x.x.x being the specific version number you want to install.
pip3 install pyclearpass==x.x.x
or
pip install pyclearpass==x.x.x
To remove the Python pyclearpass package, type the following command into a command line terminal -
pip3 uninstall pyclearpass
or
pip uninstall pyclearpass
The examples below all exclude importing the module and creating the login variable. This is described directly below. Note, these are just a full examples, there are hundreds of API commands available within the SDK.
The login variable only needs to be defined once in the script. Two examples are shown below to achieve this;
from pyclearpass import *
login = ClearPassAPILogin(server="https://yourserver.network.local:443/api",granttype="client_credentials",
clientsecret="myclientsecretexample", clientid="myclientidexample", verify_ssl=False)
📘
As mentioned earlier, the login object will contain the API Token once any function has been used. It obtains it once for the session and uses the same token through the execution of the rest of the script. You can extract this token and reuse it for other sessions if required (login.api_token). The token will only be available for reuse until the lifetime expires which was configured when specifying a new API Client within the ClearPass Guest Module.
from pyclearpass import *
login = ClearPassAPILogin(server="https://yourserver.network.local:443/api",api_token="yoursecretapitoken", verify_ssl=False)
import json
LSCGCS = ApiLocalServerConfiguration.get_cluster_server(login)
print(json.dumps(LSCGCS['_embedded']['items'],indent=1))
IGEP = ApiIdentities.get_endpoint(login, calculate_count='true')
print("Total MACs in Table: "+str(IGEP['count']))
print(ApiLogs.get_insight_endpoint_ip_by_ip(login,ip="192.168.0.99"))
AU = ApiGlobalServerConfiguration.get_admin_user(login)
for users in AU['_embedded']['items']:
print(users)
newEndPoint = {
"mac_address": "11:22:33:44:55:66",
"description": "Demo EndPoint 1",
"status": "Known"
}
print(ApiIdentities.new_endpoint(login,body=newEndPoint))
role={"name": "Test1","description": "Test role made using the API Package in Python"}
print(ApiPolicyElements.new_role(login,body=role))
print(ApiPolicyElements.delete_role_name_by_name(login,name='Demo'))
devices = ApiPolicyElements.get_network_device(login)
for device in devices["_embedded"]["items"]:
print(device)
print(ApiPolicyElements.get_network_device_name_by_name(login, "Lab-AP-IAP-VC"))
newNAD = {
"description": "LAB AP IAP VC",
"name": "Lab-AP-IAP-VC",
"ip_address": "192.168.0.100",
"radius_secret": "example_radius_secret",
"tacacs_secret": "example_tacacs_secret",
"vendor_name": "Aruba",
"coa_capable": True,
"coa_port": 3799,
"attributes": {"Device Type": "IAP"},
}
ApiPolicyElements.new_network_device(login, body=newNAD)
This example adds new Network Access Devices based on the CSV (comma delimited values) named "network access devices.csv" with headings and content filled rows.
name | description | ip_address | location |
---|---|---|---|
demo1 | example demo 1 | 192.168.100.1 | UK |
demo2 | example demo 2 | 192.168.100.2 | US |
import pandas as pd
df = pd.read_csv("network access devices.csv")
for index, items in df.iterrows():
newnad = {
"description": items["description"], # Description of the network device. Object Type: string
"name": items["name"], # Name of the network device. Object Type: string
"ip_address": items["ip_address"], # IP or Subnet Address of the network device. Object Type: string
"tacacs_secret": "testing123", # TACACS+ Shared Secret of the network device. Object Type: string
"vendor_name": "Aruba", # Vendor Name of the network device. Object Type: string
"attributes": {"Location": items["location"]},
}
print(ApiPolicyElements.new_network_device(login, body=newnad))
print(items["name"], items["ip_address"])
This example updates Network Access Devices attributes based on the CSV (comma delimited values) named "network access devices updates.csv" with headings and content filled rows.
name | description | location |
---|---|---|
demo1 | updated demo 1 | US |
demo2 | updated demo 2 | UK |
import pandas as pd
df = pd.read_csv("network access devices updates.csv")
for index, items in df.iterrows():
nadupdate = {
"tacacs_secret": "updatedpassword123", # TACACS+ Shared Secret of the network device. Object Type: string
"description": items["description"], # Description of the network device. Object Type: string
"attributes": {"Location": items["location"]},
}
print(ApiPolicyElements.update_network_device_name_by_name(login,name=items["name"],body=nadupdate))
This example updates an Network Device Group with additional IP Addresses 192.168.0.100 and 192.168.0.99.
These Network Access Devices must of been added before they can be appended to the group.
getcurrentnads = ApiPolicyElements.get_network_device_group_name_by_name(login,name="Example")
newnads={"value" : "192.168.0.100, 192.168.0.98"}
newnads["value"]=getcurrentnads['value']+", "+newnads["value"]
print(ApiPolicyElements.update_network_device_group_name_by_name(login,name="Example",body=newnads))
🚧 Ensure completion of validation checks
Validate the Network Access Device exists and is not already part of the Network Device Group before attempting to append to the group.
This example adds a Guest Device including
import time
new_guest_device = {
"enabled": True,
"expire_time": int(time.time()) + 86400,
"mac": "11:22:22:33:33:11",
"notes": "Created by API Test Script",
"role_id": 3,
"sponsor_profile_name": "Super Administrator",
"visitor_name": "API Test Device",
"mpsk":"SecretPassword",
"mpsk_enable":"1"
}
new_device= ApiIdentities.new_device(login,body=new_guest_device)
print(new_device)
import json
get_mac_address = "11-22-33-33-22-11"
view_guest_device = ApiIdentities.get_device_mac_by_macaddr(login,get_mac_address)
print(json.dumps(view_guest_device,indent=2))
print(ApiPolicyElements.delete_enforcement_policy_by_enforcement_policy_id(login,enforcement_policy_id='3058'))
newEnforcementPolicy= {
"name": "MPSK Demo",
"description": "MPSK Enforcement",
"enforcement_type": "RADIUS",
"default_enforcement_profile": "Deny Device",
"rule_eval_algo": "first-applicable",
"rules": ''}
newEnforcementPolicyRules =({"rules":[]})
initialrule = {
"enforcement_profile_names": [
"Sample Enforcement Policy"
],
"condition": [
{
"type": "Connection",
"name": "AP-Name",
"oper": "BEGINS_WITH",
"value": "APDemo"
}
]
}
newEnforcementPolicyRules["rules"].append(initialrule)
for id in range(9,11):
randompsk = random.randint(8000000,9000000)
epf ={
"enforcement_profile_names": [
"Sample Enforcement Policy"
],
"condition": [
{
"type": "Connection",
"name": "AP-Name",
"oper": "BEGINS_WITH",
"value": "APNo"+str(id)
}
]
}
newEnforcementPolicyRules["rules"].append(epf)
newEnforcementPolicy["rules"] = newEnforcementPolicyRules["rules"]
print(ApiPolicyElements.new_enforcement_policy(login,body=newEnforcementPolicy))
📘
You may find it easier to initially pull a working Enforcement Policy with minimal rules before trying to create a new one from scratch.
For example, the rule evaluation in the GUI shows as 'First applicable', however in the back-end it is shown as 'first-applicable'. This example is a working policy. It is demonstrated with a loop which could read an entry in a CSV file if adapted.
epol = ApiPolicyElements.get_enforcement_policy_name_by_name(login, name="MPSK Enforcement")
OriginalRules = epol["rules"]
CombinedRules =({"rules":[]})
for item in range(len(OriginalRules)):
CombinedRules["rules"].append(OriginalRules[item])
for no in range(9,11):
rule ={
"enforcement_profile_names": [
"Sample Enforcement Policy"
],
"condition": [
{
"type": "Connection",
"name": "AP-Name",
"oper": "BEGINS_WITH",
"value": "APNo"+str(no)
}
]
}
CombinedRules["rules"].append(rule)
ApiPolicyElements.update_enforcement_policy_name_by_name(login,name="MPSK Enforcement",body=CombinedRules)
FAQs
HPE Aruba Networking ClearPass SDK has been developed in Python v3.9 to utilise the full functionality of the HPE Aruba Networking ClearPass REST API environment. Each available REST API command is available for use in this module.
We found that pyclearpass demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.