great-tk: 5月 2014

2014年5月26日月曜日

HTTPS Basic Authentication with ClearPass

"-u" is for HTTP basic authentication.
-read, write and delete are supported.

----------------------------------------
#curl -k -u admin:eTIPS123 https://10.215.101.30/tipsapi/config/read/LocalUser

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><TipsApiResponse xmlns="http://www.avendasys.com/tipsapiDefs/1.0"><TipsHeader exportTime="Mon May 26 17:58:54 JST 2014" version="6.3"/><StatusCode>Success</StatusCode><LocalUsers><LocalUser enabled="true" roleName="[BYOD Operator]" password="demo" userName="demo" userId="demo"/><LocalUser enabled="true" roleName="[BYOD Operator]" password="demo1" userName="demo1" userId="demo1"/><LocalUser enabled="true" roleName="[BYOD Operator]" password="demo2" userName="demo2" userId="demo2"/><LocalUser enabled="true" roleName="[BYOD Operator]" password="demo3" userName="demo3" userId="demo3"/><LocalUser enabled="true" roleName="Receptionist" password="uketsuke" userName="uketsuke" userId="uketsuke"/><LocalUser enabled="true" roleName="[Employee]" password="abab" userName="abab" userId="abab"/><LocalUser enabled="true" roleName="[Employee]" password="bcbc" userName="bcbc" userId="bcbc"/><LocalUser enabled="true" roleName="[Employee]" password="test" userName="test" userId="test"/><LocalUser enabled="true" roleName="[Contractor]" password="abc" userName="abc" userId="abc"/><LocalUser enabled="true" roleName="Receptionist3" password="uke3" userName="uke3" userId="uke3"/><LocalUser enabled="true" roleName="[Employee]" password="cdcd" userName="cdcd" userId="cdcd"/><LocalUser enabled="true" roleName="[Employee]" password="usr30" userName="usr30" userId="usr30"/><LocalUser enabled="true" roleName="Receptionist" password="tst1" userName="tst1" userId="tst1"/><LocalUser enabled="true" roleName="[BYOD Operator]" password="sara" userName="sara" userId="sara"/></LocalUsers><Roles><Role description="uketsuke" name="Receptionist"/><Role description="Receptionist3" name="Receptionist3"/><Role description="Operators with this profile can view and manage their own provisioned devices" name="[BYOD Operator]"/><Role description="Default role for a contractor" name="[Contractor]"/><Role description="Default role for an employee" name="[Employee]"/></Roles></TipsApiResponse>

----------------------------------------
curl -k -d @hoge8.txt -u apiadmin:aruba123 https://10.215.101.30/tipsapi/config/write/LocalUser

[root@cent2 ~]# more hoge8.txt
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsApiRequest xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader version="3.0"/>
<LocalUsers>
<LocalUser enabled="true" roleName="[Employee]" password="password" userName="testname6"
userId="testuser6"/>
</LocalUsers>
</TipsApiRequest>

2014年5月21日水曜日

MC shows wired mac address by "show ap database long".
MC shows real time neighboring BSSIDs by "show ap monitor"
MC shows its BSSIDs tables by "show ab bss-table"

(MC) # show ap database long

AP Database
-----------
Name Group AP Type IP Address Status Flags Switch IP Standby IP Wired MAC Address Serial # Port FQLN Outer IP User
---- ----- ------- ---------- ------ ----- --------- ---------- ----------------- -------- ---- ---- -------- ----
am3 am 105 10.215.1.98 Up 27d:14h:46m:8s 10.215.1.252 0.0.0.0 00:24:6c:c2:ac:ad AL0044649 N/A am3.Shinbashi.Aruba Japan Shinbashi Office.Main Campus N/A
demo-room office 105 10.215.1.89 Up 27d:14h:45m:59s 10.215.1.252 0.0.0.0 00:24:6c:c2:a9:49 AL0043781 N/A demo-room.Shinbashi.Aruba Japan Shinbashi Office.Main Campus N/A
labo am 105 10.215.1.91 Up 27d:14h:46m:5s 10.215.1.252 0.0.0.0 00:24:6c:c0:01:17 AL0000347 N/A labo.Shinbashi.Aruba Japan Shinbashi Office.Main Campus N/A
mesh-point-sr office-video RAP-109 10.215.1.85 Up 27d:14h:42m:25s M 10.215.1.252 0.0.0.0 24:de:c6:cb:67:b4 BV0034218 N/A N/A N/A
office-1 office 105 10.215.1.96 Up 27d:14h:46m:11s 10.215.1.252 0.0.0.0 00:24:6c:c2:a9:4a AL0043782 N/A office-1.Shinbashi.Aruba Japan Shinbashi Office.Main Campus N/A
office-2 office 105 10.215.1.90 Up 27d:14h:46m:7s 10.215.1.252 0.0.0.0 00:24:6c:c2:a9:51 AL0043789 N/A office-2.Shinbashi.Aruba Japan Shinbashi Office.Main Campus N/A
OSAKA-RAP5WN rap RAP-5WN 10.215.251.40 Up 5d:1h:0m:14s Rc2 10.215.1.252 0.0.0.0 00:0b:86:69:10:cf AG0040199 N/A N/A 122.215.68.6
osk-rap-3 rap RAP-3WN 10.215.251.14 Down Rc2 10.215.1.252 0.0.0.0 00:1a:1e:08:27:f9 BF0000760 N/A 202.229.51.81
rap-tanaka rap 61 10.215.251.10 Up 27d:12h:28m:0s R 10.215.1.252 0.0.0.0 00:0b:86:c2:0c:1d A30002177 N/A N/A 113.146.13.133
rap-tsujita rap 65 10.215.251.37 Up 27d:8h:26m:56s R 10.215.1.252 0.0.0.0 00:1a:1e:c1:a8:5c A90105018 N/A N/A 106.167.156.81
rap-yamada rap 61 10.215.251.38 Up 8d:12h:15m:49s R 10.215.1.252 0.0.0.0 00:0b:86:c2:1c:b6 A30006426 N/A N/A 111.107.208.161
rap105-nagoya rap 105 10.215.251.14 Up 2d:15h:1m:56s Rc2 10.215.1.252 0.0.0.0 6c:f3:7f:c0:e1:0c BT0060102 N/A N/A 222.148.189.136
seminar-room office 105 10.215.1.88 Up 27d:14h:45m:52s M 10.215.1.252 0.0.0.0 00:24:6c:c2:a9:4d AL0043785 N/A seminar-room.Shinbashi.Aruba Japan Shinbashi Office.Main Campus N/A
voice-1 office-voice 70 10.215.1.97 Up 27d:14h:45m:16s 10.215.1.252 0.0.0.0 00:0b:86:c4:0a:74 A50001438 N/A N/A N/A

Flags: U = Unprovisioned; N = Duplicate name; G = No such group; L = Unlicensed
I = Inactive; D = Dirty or no config; E = Regulatory Domain Mismatch
X = Maintenance Mode; P = PPPoE AP; B = Built-in AP
R = Remote AP; R- = Remote AP requires Auth; C = Cellular RAP;
c = CERT-based RAP; 1 = 802.1x authenticated AP; 2 = Using IKE version 2
u = Custom-Cert RAP; S = Standby-mode AP; J = USB cert at AP
M = Mesh node; Y = Mesh Recovery

Port information is available only on 6xx.

--More-- (q) quit (u) pageup (/) search (n) repeat
(MC) #
(MC) #show ap monitor ap-list ap-name office-1

Monitored AP Table
------------------
bssid essid chan ap-type phy-type dos dt/mt ut/it encr nstas avg-rssi curr-rssi wmacs ibss
----- ----- ---- ------- -------- --- ----- ----- ---- ----- -------- --------- ----- ----
00:24:6c:aa:94:a8 ethersphere-wpa2 108 valid 80211a-HT-40 disable 2371605/2314538 0/0 wpa2-8021x-aes 8 15 15 3 no
00:24:6c:aa:94:a9 Aruba-Guest-Access 108 valid 80211a-HT-40 disable 2371605/2314538 0/0 open 1 15 15 6 no
00:24:6c:aa:94:aa Aruba-AirGroup 108 valid 80211a-HT-40 disable 2371605/2314538 0/0 wpa2-psk-aes 0 15 15 0 no
00:24:6c:aa:94:ab Aruba-BYOD 108 valid 80211a-HT-40 disable 2371605/2314538 0/0 wpa2-8021x-aes 0 15 15 0 no
00:24:6c:aa:94:ac Aruba-Provisioning 108 valid 80211a-HT-40 disable 2371605/2314538 0/0 open 0 15 15 0 no
6c:f3:7f:94:4e:28 asato108 124 rogue 80211a-HT-40 disable 46997/2857 360/1 wpa2-psk-aes 0 0 44 0 no
00:24:6c:aa:95:08 cp61-internal 36 rogue 80211a-HT-40 disable 25238/4689 34/0 wpa2-8021x-aes 0 0 37 0 no
6c:f3:7f:e7:ea:70 TK-11ac-psk 36 rogue 80211a-VHT-80 disable 12220/58 167/0 wpa2-psk-aes 0 0 30 0 no
00:24:6c:aa:95:0d test-vpn 36 rogue 80211a-HT-40 disable 6267/3741 227/1 open 0 0 54 0 no
00:24:6c:aa:95:09 cp61-onboard 36 rogue 80211a-HT-40 disable 6267/3741 227/1 open 0 0 54 0 no
d8:c7:c8:24:56:88 ike-employee 124 rogue 80211a-HT-40 disable 6147/1516 50/2 wpa2-8021x-aes 0 0 28 0 no
00:24:6c:aa:94:98 ethersphere-wpa2 64 valid 80211a-HT-40 disable 3652/35 311/0 wpa2-8021x-aes 1 0 7 0 no
00:24:6c:aa:94:99 papaya 64 valid 80211a disable 3484/33 13/0 wep 0 5 4 0 no
d8:c7:c8:24:56:89 ike-Guest 124 rogue 80211a-HT-40 disable 3000/26 513/2 open 0 0 30 0 no
d8:c7:c8:24:56:8a ike-Lync 124 rogue 80211a-HT-40 disable 3000/26 513/2 wpa2-psk-aes 0 0 29 0 no
00:24:6c:aa:94:9d Aruba-Provisioning 64 valid 80211a-HT-40 disable 2927/30 23/1 open 0 6 6 0 no
d8:c7:c8:5d:13:49 test-2-dot1x 124 rogue 80211a disable 2772/24 1045/8 wpa2-8021x-tkip 0 0 5 0 no
d8:c7:c8:5d:13:48 test-2-psk 124 rogue 80211a disable 2735/22 1045/8 wpa2-psk-tkip 0 0 5 0 no
50:a7:33:37:7d:3c au_Wi-Fi 124 interfering 80211a-HT-40 disable 2495/21 217/0 wpa2-psk-aes 0 0 7 0 no
50:a7:33:77:7d:3c Wi2premium 124 interfering 80211a-HT-40 disable 2495/21 217/0 open 0 0 8 0 no
50:a7:33:b7:7d:3c Wi2premium_club 124 interfering 80211a-HT-40 disable 2495/21 217/0 wpa-psk-tkip 0 0 7 0 no
50:a7:33:f7:7d:3c LAWSON_Wi-Fi 124 interfering 80211a-HT-40 disable 2483/19 217/0 open 0 0 8 0 no
50:a7:33:37:7d:3d au_Wi-Fi2 124 interfering 80211a-HT-40 disable 2483/19 217/0 wpa2-8021x-aes 0 0 9 0 no
6c:f3:7f:94:4c:ca ssk-instant 100 valid 80211a-HT-40 disable 2124/16 287/1 wpa2-psk-aes 0 0 40 0 no
6c:f3:7f:d2:e5:f0 f6ca429bc897522796979bddf24b920 100 rogue 80211a-HT-40 disable 1647/6 1394/4 wpa-psk-tkip 0 0 40 0 no
6c:f3:7f:d2:e5:f2 instant-jungjoon1 100 rogue 80211a-HT-40 disable 1647/6 1394/4 wpa2-8021x-aes 0 0 41 0 no
6c:f3:7f:d2:e5:f3 instant-jungjoon1-guest 100 rogue 80211a-HT-40 disable 1647/6 1394/4 open 0 0 40 0 no
00:24:6c:aa:95:18 ethersphere-wpa2 108 valid 80211a-HT-40 disable 1475/82 0/0 wpa2-8021x-aes 0 42 42 1 no
00:24:6c:aa:94:9c Aruba-BYOD 64 valid 80211a-HT-40 disable 1429/15 23/1 wpa2-8021x-aes 0 5 5 0 no
00:24:6c:aa:94:9b Aruba-Guest-Access 64 valid 80211a-HT-40 disable 1417/15 23/1 open 0 5 5 0 no
00:24:6c:aa:94:9a Aruba-AirGroup 64 valid 80211a-HT-40 disable 1152/14 23/1 wpa2-psk-aes 0 6 6 0 no
6c:f3:7f:da:7d:b2 TK-IAP-guest 60 interfering 80211a-HT-40 disable 181/23 48/0 wpa2-psk-aes 0 39 39 0 no
6c:f3:7f:da:7d:b3 TK-IAP-guest-2 60 interfering 80211a-HT-40 disable 181/23 48/0 wpa2-psk-aes 0 39 39 0 no
6c:f3:7f:da:7d:b4 TK-IAP-guest-50000 60 interfering 80211a-HT-40 disable 181/23 48/0 wpa2-psk-aes 0 39 39 0 no
00:24:6c:aa:95:19 Aruba-Guest-Access 108 valid 80211a-HT-40 disable 67/67 0/0 open 0 42 42 0 no
00:24:6c:aa:95:1a Aruba-AirGroup 108 valid 80211a-HT-40 disable 67/67 0/0 wpa2-psk-aes 0 42 42 0 no
00:24:6c:aa:95:1b Aruba-BYOD 108 valid 80211a-HT-40 disable 67/67 0/0 wpa2-8021x-aes 0 42 42 0 no
00:24:6c:aa:95:1c Aruba-Provisioning 108 valid 80211a-HT-40 disable 67/67 0/0 open 0 42 42 0 no
Start:0
Length:38
Total:38

(MC) #
(MC) #show ap bss-table

fm (forward mode): T-Tunnel, S-Split, D-Decrypt Tunnel, B-Bridge (s-standard, p-persistent, b-backup, a-always)

Aruba AP BSS Table
------------------
bss ess port ip phy type ch/EIRP/max-EIRP cur-cl ap name in-t(s) tot-t mtu acl-state acl fm
--- --- ---- -- --- ---- ---------------- ------ ------- ------- ----- --- --------- --- --
00:24:6c:aa:95:10 papaya N/A 10.215.1.90 g ap 11/9/22.5 6 office-2 0 27d:14h:47m:52s 1500 - 1 T
00:24:6c:aa:95:18 ethersphere-wpa2 N/A 10.215.1.90 a-HT ap 108+/9/24 1 office-2 0 5d:1h:49m:12s 1500 - 1 T
00:24:6c:aa:95:19 Aruba-Guest-Access N/A 10.215.1.90 a-HT ap 108+/9/24 0 office-2 0 5d:1h:49m:12s 1500 - 75 T
00:24:6c:aa:95:1a Aruba-AirGroup N/A 10.215.1.90 a-HT ap 108+/9/24 0 office-2 0 5d:1h:49m:12s 1500 - 80 T
00:24:6c:aa:95:1b Aruba-BYOD N/A 10.215.1.90 a-HT ap 108+/9/24 0 office-2 0 5d:1h:49m:12s 1500 - 1 T
00:24:6c:aa:95:1c Aruba-Provisioning N/A 10.215.1.90 a-HT ap 108+/9/24 0 office-2 0 5d:1h:49m:12s 1500 - 73 T
00:0b:86:c0:a7:40 papaya N/A 10.215.1.97 g ap 14/18.5/18.5 3 voice-1 0 27d:14h:47m:17s 1500 - 1 T
00:0b:86:a1:cb:61 ethersphere-wpa2 N/A 10.215.251.38 g ap 11/20/20 1 rap-yamada 0 1d:16h:4m:49s 1200 - 1 T
00:24:6c:80:11:70 N/A 10.215.1.91 g-HT Spectrum ?/?/? 0 labo 0 27d:14h:47m:51s 1500 - 1 Bs
00:24:6c:80:11:78 N/A 10.215.1.91 a-HT Spectrum ?/?/? 0 labo 0 27d:14h:47m:51s 1500 - 1 Bs
00:24:6c:aa:94:93 papaya N/A 10.215.1.89 g ap 1/9/22.5 0 demo-room 0 27d:14h:47m:44s 1500 - 1 T
00:24:6c:aa:94:98 ethersphere-wpa2 N/A 10.215.1.89 a-HT ap 64-/9/22 4 demo-room 0 9d:1h:56m:26s 1500 - 1 T
00:24:6c:aa:94:99 papaya N/A 10.215.1.89 a ap 64/9/22 0 demo-room 0 9d:1h:56m:26s 1500 - 1 T
00:24:6c:aa:94:9a Aruba-AirGroup N/A 10.215.1.89 a-HT ap 64-/9/22 1 demo-room 0 9d:1h:56m:26s 1500 - 80 T
00:24:6c:aa:94:9b Aruba-Guest-Access N/A 10.215.1.89 a-HT ap 64-/9/22 0 demo-room 0 9d:1h:56m:26s 1500 - 75 T
00:24:6c:aa:94:9c Aruba-BYOD N/A 10.215.1.89 a-HT ap 64-/9/22 0 demo-room 0 9d:1h:56m:26s 1500 - 1 T
00:24:6c:aa:94:9d Aruba-Provisioning N/A 10.215.1.89 a-HT ap 64-/9/22 0 demo-room 0 9d:1h:56m:26s 1500 - 73 T
d8:c7:c8:fd:4c:a0 ethersphere-wpa2 N/A 10.215.251.40 a-HT ap 48-/12/20 0 OSAKA-RAP5WN 0 1d:16h:4m:48s 1200 - 1 T
00:24:6c:aa:94:a8 ethersphere-wpa2 N/A 10.215.1.96 a-HT ap 108+/9/24 5 office-1 0 27d:14h:47m:58s 1500 - 1 T
00:24:6c:aa:94:a9 Aruba-Guest-Access N/A 10.215.1.96 a-HT ap 108+/9/24 0 office-1 0 27d:14h:47m:58s 1500 - 75 T
00:24:6c:aa:94:aa Aruba-AirGroup N/A 10.215.1.96 a-HT ap 108+/9/24 0 office-1 0 27d:14h:47m:58s 1500 - 80 T
00:24:6c:aa:94:ab Aruba-BYOD N/A 10.215.1.96 a-HT ap 108+/9/24 0 office-1 0 27d:14h:47m:58s 1500 - 1 T
00:24:6c:aa:94:ac Aruba-Provisioning N/A 10.215.1.96 a-HT ap 108+/9/24 0 office-1 0 27d:14h:47m:58s 1500 - 73 T
6c:f3:7f:8e:10:c0 ethersphere-wpa2 N/A 10.215.251.14 g-HT ap 11/22.5/22.5 0 rap105-nagoya 0 15h:3m:5s 1200 - 1 T
00:1a:1e:9a:85:c0 ethersphere-wpa2 N/A 10.215.251.37 g ap 11/20/20 0 rap-tsujita 0 1d:16h:4m:54s 1200 - 1 T
6c:f3:7f:8e:10:c1 papaya N/A 10.215.251.14 g ap 11/22.5/22.5 0 rap105-nagoya 0 15h:3m:5s 1200 - 1 T
00:1a:1e:9a:85:c1 papaya N/A 10.215.251.37 g ap 11/20/20 0 rap-tsujita 0 1d:16h:4m:54s 1200 - 1 T
6c:f3:7f:8e:10:c8 ethersphere-wpa2 N/A 10.215.251.14 a-HT ap 116+/24/24 0 rap105-nagoya 0 15h:3m:5s 1200 - 1 T
00:1a:1e:9a:85:c8 ethersphere-wpa2 N/A 10.215.251.37 a ap 48/20/20 0 rap-tsujita 0 1d:16h:4m:54s 1200 - 1 T
00:24:6c:aa:ca:d0 N/A 10.215.1.98 g-HT Spectrum ?/?/? 0 am3 0 27d:14h:47m:55s 1500 - 1 Bs
00:0b:86:a0:c1:d1 ethersphere-wpa2 N/A 10.215.251.10 g ap 11/20/20 0 rap-tanaka 0 10h:34m:46s 1200 - 1 T
00:0b:86:a0:c1:d2 papaya N/A 10.215.251.10 g ap 11/20/20 0 rap-tanaka 0 10h:34m:46s 1200 - 1 T

Port information is available only on 6xx controller.
Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.

fm (forward mode): T-Tunnel, S-Split, D-Decrypt Tunnel, B-Bridge (s-standard, p-persistent, b-backup, a-always)

Aruba AP BSS Table
------------------
bss ess port ip phy type ch/EIRP/max-EIRP cur-cl ap name in-t(s) tot-t mtu acl-state acl fm
--- --- ---- -- --- ---- ---------------- ------ ------- ------- ----- --- --------- --- --
00:24:6c:aa:94:d3 papaya N/A 10.215.1.88 g ap 1/9/22.5 0 seminar-room 0 27d:14h:47m:39s 1500 - 1 T
00:24:6c:aa:ca:d8 N/A 10.215.1.98 a-HT Spectrum ?/?/? 0 am3 0 27d:14h:47m:56s 1500 - 1 Bs
00:24:6c:aa:94:da Aruba-AirGroup N/A 10.215.1.88 a-HT ap 100+/9/24 1 seminar-room 0 27d:14h:47m:39s 1500 - 80 T
00:24:6c:aa:94:db Aruba-Guest-Access N/A 10.215.1.88 a-HT ap 100+/9/24 2 seminar-room 0 27d:14h:47m:39s 1500 - 75 T
00:24:6c:aa:94:dc ethersphere-wpa2 N/A 10.215.1.88 a-HT ap 100+/9/24 1 seminar-room 0 27d:14h:47m:39s 1500 - 1 T
00:24:6c:aa:94:dd papaya N/A 10.215.1.88 a ap 100/9/24 0 seminar-room 0 27d:14h:47m:39s 1500 - 1 T
00:24:6c:aa:94:de Aruba-BYOD N/A 10.215.1.88 a-HT ap 100+/9/24 0 seminar-room 0 27d:14h:47m:39s 1500 - 1 T
00:24:6c:aa:94:df Aruba-Provisioning N/A 10.215.1.88 a-HT ap 100+/9/24 0 seminar-room 0 27d:14h:47m:39s 1500 - 73 T
24:de:c6:cb:67:b4 N/A 2/0 10.215.1.85 e0 N/A N/A N/A mesh-point-sr 0 27d:14h:44m:13s 1500 N/A 77 T
00:0b:86:69:10:d0 N/A 2/0 10.215.251.40 e1 N/A N/A N/A OSAKA-RAP5WN 0 1d:16h:4m:49s 1200 N/A 1 T
00:0b:86:69:10:d1 N/A 2/0 10.215.251.40 e2 N/A N/A N/A OSAKA-RAP5WN 0 1d:16h:4m:49s 1200 N/A 1 T
00:0b:86:69:10:d2 N/A 2/0 10.215.251.40 e3 N/A N/A N/A OSAKA-RAP5WN 0 1d:16h:4m:49s 1200 N/A 1 T
00:0b:86:69:10:d3 N/A 2/0 10.215.251.40 e4 N/A N/A N/A OSAKA-RAP5WN 0 1d:16h:4m:49s 1200 N/A 1 T

Port information is available only on 6xx controller.
Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.

Num APs:45
Num Associations:25

Neighboring AP

Controller and IAP can provide BSSID lists for neighboring APs. Controller returns RSSI information as well.
Controller: show wms ap list
IAP: show ids aps

--------------------------------
Controller
--------------------------------
(Aruba) #show wms ap list

AP Tree
-------
Monitor Eth MAC Radio BSSID ESSID RSSI Dur Cnt Class Clients AP-name Encryp IBSS
--------------- ----- ----- ----- ---- --- --- ----- ------- ------- ------ ----
00:0b:86:69:10:cf 1 00:00:eb:e7:43:d0 docomo 0 158 0 interfering 0 wep no
00:0b:86:69:10:cf 1 00:00:eb:e7:43:d1 0000docomo 0 158 0 interfering 0 wpa2-psk-aes no
00:0b:86:69:10:cf 1 00:09:b4:71:05:90 0001softbank 18 158 4 interfering 0 open no
00:0b:86:69:10:cf 1 00:09:b4:71:05:a0 0001softbank 11 158 3 interfering 0 open no
00:0b:86:69:10:cf 1 00:09:b4:71:0a:94 0001softbank 24 158 4 interfering 0 open no
00:0b:86:69:10:cf 1 00:09:b4:71:0d:10 0001softbank 36 158 6 interfering 0 open no
00:0b:86:69:10:cf 1 00:09:b4:71:0d:14 0001softbank 37 158 4 interfering 0 open no
00:0b:86:69:10:cf 1 00:0b:86:6f:ce:d0 A-MSFTWLAN 11 158 1 interfering 0 wpa-8021x-tkip no
00:0b:86:69:10:cf 1 00:0b:86:6f:ce:d1 MSFTOPEN 11 158 1 interfering 0 open no
00:0b:86:69:10:cf 1 00:0b:86:6f:db:50 A-MSFTWLAN 7 158 2 interfering 0 wpa-8021x-tkip no

--------------------------------
IAP
--------------------------------
6c:f3:7f:c5:a7:da# show ids aps

Unknown Access Points Detected
------------------------------
MAC Address Network Classification Chan. Type Last Seen
----------- ------- -------------- ----- ---- ---------
00:24:6c:aa:94:93 papaya Interfering 1 G 12:00:08
00:24:6c:81:8c:39 test-03-dot1x Rogue 44 AN 40MZ 11:45:37
00:24:6c:aa:94:aa Aruba-AirGroup Interfering 60 AN 40MZ 11:47:37
6c:f3:7f:94:4e:2a hotspot2.0 Interfering 36 AN 40MZ 11:59:08
d8:c7:c8:24:56:88 ike-employee Interfering 60 AN 40MZ 11:57:07
00:0b:86:c0:a7:40 papaya Rogue 14 G 11:57:38
6c:f3:7f:d2:e5:e3 instant-jungjoon1-guest Interfering 1 GN 20MZ 12:00:08
00:24:a5:e8:09:92 0024A5E80992_G Interfering 1 GN 20MZ 12:00:08
6c:f3:7f:94:4d:72 captive-test Interfering 11 GN 20MZ 12:00:08
00:24:6c:81:8c:3a test-03-guest Interfering 44 AN 40MZ 11:45:37
6c:f3:7f:11:f9:2a instant-jungjoon1 Interfering 108 AN 40MZ 12:00:08
00:24:6c:aa:94:ab Aruba-BYOD Interfering 60 AN 40MZ 11:47:37
d8:c7:c8:24:56:89 ike-Guest Interfering 60 AN 40MZ 11:45:37
00:24:a5:e8:09:93 0024A5E80992_A Interfering 48 AN 40MZ 11:57:07
d8:c7:c8:c3:a5:c2 TK-employee Interfering 11 GN 20MZ 11:53:37
00:24:6c:aa:94:da Aruba-AirGroup Interfering 100 AN 40MZ 12:00:08
6c:f3:7f:11:f9:2b instant-jungjoon1-guest Interfering 108 AN 40MZ 12:00:08
00:24:6c:aa:94:ac Aruba-Provisioning Interfering 60 AN 40MZ 11:47:37
d8:c7:c8:24:56:8a ike-Lync Interfering 60 AN 40MZ 11:45:37
00:24:6c:aa:95:08 cp61-internal Interfering 116 AN 40MZ 11:54:07

2014年5月15日木曜日

Aruba Activate API

Aruba Activate support external API with JSON format.

URL

https://activate.arubanetworks.com/api/ext/inventory.json?action=update

POST

json={"devices":[{"mac":"00:0B:86:CF:95:8C" ,"folderId" : "2f3362fe-a8ca-11e1-9eaf-a4badbe0f786"} , {"mac":"D8:C7:C8:C4:6B:EC" ,"folderId" : "2f3362fe-a8ca-11e1-9eaf-a4badbe0f786"} , {"mac": "6C:F3:7F:C1:44:DE" ,"folderId" : "2f3362fe-a8ca-11e1-9eaf-a4badbe0f786"} , {"mac": "D8:C7:C8:C8:EB:E8" ,"folderId" : "2f3362fe-a8ca-11e1-9eaf-a4badbe0f786"} , {"mac": "D8:C7:C8:C4:40:67" ,"folderId" : "2f3362fe-a8ca-11e1-9eaf-a4badbe0f786"}]}

HTTP/1.1 200 OK

Date: Thu, 15 May 2014 02:33:42 GMT

Cache-Control: no-cache

Content-Disposition: inline;filename=inventory.json

Content-Length: 93

Content-Type: application/json; charset=utf-8

Expires: -1

Pragma: no-cache

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Data

{"info":{"api":"inventory","version":"1.4"},"message":{"text":"5 devices updated.","code":0}}

2014年5月13日火曜日

iap vpn role

There's pre-set iaprole.
I modified it to the following:

(Aruba3200) #show running-config | begin iaprole
Building Configuration...
ip access-list session iaprole
any host 10.215.200.199 any src-nat pool pool-198
any host 10.215.200.194 any src-nat pool pool-198
any any any permit
!
!Also
ip NAT pool pool-198 10.215.200.198 10.215.200.198

(Aruba3200) #show rights iaprole

Derived Role = 'iaprole'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 53/0
Max Sessions = 65535

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 iaprole session

iaprole
-------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any 10.215.200.199 any src-nat pool pool-198 Low 4
2 any 10.215.200.194 any src-nat pool pool-198 Low 4
3 any any any permit Low 4

Expired Policies (due to time constraints) = 0

2014年5月6日火曜日

Linux: curl --help

kurokawa-no-MacBook-Air:Linux taka$ curl --help
Usage: curl [options...] <url>
Options: (H) means HTTP/HTTPS only, (F) means FTP only
--anyauth Pick "any" authentication method (H)
-a/--append Append to target file when uploading (F/SFTP)
--basic Use HTTP Basic Authentication (H)
--cacert <file> CA certificate to verify peer against (SSL)
--capath <directory> CA directory to verify peer against (SSL)
-E/--cert <cert[:passwd]> Client certificate file and password (SSL)
--cert-type <type> Certificate file type (DER/PEM/ENG) (SSL)
--ciphers <list> SSL ciphers to use (SSL)
--compressed Request compressed response (using deflate or gzip)
-K/--config <file> Specify which config file to read
--connect-timeout <seconds> Maximum time allowed for connection
-C/--continue-at <offset> Resumed transfer offset
-b/--cookie <name=string/file> Cookie string or file to read cookies from (H)
-c/--cookie-jar <file> Write cookies to this file after operation (H)
--create-dirs Create necessary local directory hierarchy
--crlf Convert LF to CRLF in upload
--crlfile <file> Get a CRL list in PEM format from the given file
-d/--data <data> HTTP POST data (H)
--data-ascii <data> HTTP POST ASCII data (H)
--data-binary <data> HTTP POST binary data (H)
--data-urlencode <name=data/name@filename> HTTP POST data url encoded (H)
--digest Use HTTP Digest Authentication (H)
--disable-eprt Inhibit using EPRT or LPRT (F)
--disable-epsv Inhibit using EPSV (F)
-D/--dump-header <file> Write the headers to this file
--egd-file <file> EGD socket path for random data (SSL)
--engine <eng> Crypto engine to use (SSL). "--engine list" for list
-f/--fail Fail silently (no output at all) on HTTP errors (H)
-F/--form <name=content> Specify HTTP multipart POST data (H)
--form-string <name=string> Specify HTTP multipart POST data (H)
--ftp-account <data> Account data to send when requested by server (F)
--ftp-alternative-to-user <cmd> String to replace "USER [name]" (F)
--ftp-create-dirs Create the remote dirs if not present (F)
--ftp-method [multicwd/nocwd/singlecwd] Control CWD usage (F)
--ftp-pasv Use PASV/EPSV instead of PORT (F)
-P/--ftp-port <address> Use PORT with address instead of PASV (F)
--ftp-skip-pasv-ip Skip the IP address for PASV (F)
--ftp-pret Send PRET before PASV (for drftpd) (F)
--ftp-ssl-ccc Send CCC after authenticating (F)
--ftp-ssl-ccc-mode [active/passive] Set CCC mode (F)
--ftp-ssl-control Require SSL/TLS for ftp login, clear for transfer (F)
-G/--get Send the -d data with a HTTP GET (H)
-g/--globoff Disable URL sequences and ranges using {} and []
-H/--header <line> Custom header to pass to server (H)
-I/--head Show document info only
-h/--help This help text
--hostpubmd5 <md5> Hex encoded MD5 string of the host public key. (SSH)
-0/--http1.0 Use HTTP 1.0 (H)
--ignore-content-length Ignore the HTTP Content-Length header
-i/--include Include protocol headers in the output (H/F)
-k/--insecure Allow connections to SSL sites without certs (H)
--interface <interface> Specify network interface/address to use
-4/--ipv4 Resolve name to IPv4 address
-6/--ipv6 Resolve name to IPv6 address
-j/--junk-session-cookies Ignore session cookies read from file (H)
--keepalive-time <seconds> Interval between keepalive probes
--key <key> Private key file name (SSL/SSH)
--key-type <type> Private key file type (DER/PEM/ENG) (SSL)
--krb <level> Enable Kerberos with specified security level (F)
--libcurl <file> Dump libcurl equivalent code of this command line
--limit-rate <rate> Limit transfer speed to this rate
-J/--remote-header-name Use the header-provided filename (H)
-l/--list-only List only names of an FTP directory (F)
--local-port <num>[-num] Force use of these local port numbers
-L/--location Follow Location: hints (H)
--location-trusted Follow Location: and send auth to other hosts (H)
-M/--manual Display the full manual
--mail-from <from> Mail from this address
--mail-rcpt <to> Mail to this receiver(s)
--max-filesize <bytes> Maximum file size to download (H/F)
--max-redirs <num> Maximum number of redirects allowed (H)
-m/--max-time <seconds> Maximum time allowed for the transfer
--negotiate Use HTTP Negotiate Authentication (H)
-n/--netrc Must read .netrc for user name and password
--netrc-optional Use either .netrc or URL; overrides -n
-N/--no-buffer Disable buffering of the output stream
--no-keepalive Disable keepalive use on the connection
--no-sessionid Disable SSL session-ID reusing (SSL)
--noproxy Comma-separated list of hosts which do not use proxy
--ntlm Use HTTP NTLM authentication (H)
-o/--output <file> Write output to <file> instead of stdout
--pass <pass> Pass phrase for the private key (SSL/SSH)
--post301 Do not switch to GET after following a 301 redirect (H)
--post302 Do not switch to GET after following a 302 redirect (H)
-#/--progress-bar Display transfer progress as a progress bar
--proto <protocols> Enable/disable specified protocols
--proto-redir <protocols> Enable/disable specified protocols on redirect
-x/--proxy <host[:port]> Use HTTP proxy on given port
--proxy-anyauth Pick "any" proxy authentication method (H)
--proxy-basic Use Basic authentication on the proxy (H)
--proxy-digest Use Digest authentication on the proxy (H)
--proxy-negotiate Use Negotiate authentication on the proxy (H)
--proxy-ntlm Use NTLM authentication on the proxy (H)
-U/--proxy-user <user[:password]> Set proxy user and password
--proxy1.0 <host[:port]> Use HTTP/1.0 proxy on given port
-p/--proxytunnel Operate through a HTTP proxy tunnel (using CONNECT)
--pubkey <key> Public key file name (SSH)
-Q/--quote <cmd> Send command(s) to server before file transfer (F/SFTP)
--random-file <file> File for reading random data from (SSL)
-r/--range <range> Retrieve only the bytes within a range
--raw Pass HTTP "raw", without any transfer decoding (H)
-e/--referer Referer URL (H)
-O/--remote-name Write output to a file named as the remote file
--remote-name-all Use the remote file name for all URLs
-R/--remote-time Set the remote file's time on the local output
-X/--request <command> Specify request command to use
--resolve <host:port:address> Force resolve of HOST:PORT to ADDRESS
--retry <num> Retry request <num> times if transient problems occur
--retry-delay <seconds> When retrying, wait this many seconds between each
--retry-max-time <seconds> Retry only within this period
-S/--show-error Show error. With -s, make curl show errors when they occur
-s/--silent Silent mode. Don't output anything
--socks4 <host[:port]> SOCKS4 proxy on given host + port
--socks4a <host[:port]> SOCKS4a proxy on given host + port
--socks5 <host[:port]> SOCKS5 proxy on given host + port
--socks5-hostname <host[:port]> SOCKS5 proxy, pass host name to proxy
--socks5-gssapi-service <name> SOCKS5 proxy service name for gssapi
--socks5-gssapi-nec Compatibility with NEC SOCKS5 server
-Y/--speed-limit Stop transfer if below speed-limit for 'speed-time' secs
-y/--speed-time Time needed to trig speed-limit abort. Defaults to 30
--ssl Try SSL/TLS (FTP, IMAP, POP3, SMTP)
--ssl-reqd Require SSL/TLS (FTP, IMAP, POP3, SMTP)
-2/--sslv2 Use SSLv2 (SSL)
-3/--sslv3 Use SSLv3 (SSL)
--stderr <file> Where to redirect stderr. - means stdout
--tcp-nodelay Use the TCP_NODELAY option
-t/--telnet-option <OPT=val> Set telnet option
--tftp-blksize <value> Set TFTP BLKSIZE option (must be >512)
-z/--time-cond <time> Transfer based on a time condition
-1/--tlsv1 Use TLSv1 (SSL)
--trace <file> Write a debug trace to the given file
--trace-ascii <file> Like --trace but without the hex output
--trace-time Add time stamps to trace/verbose output
-T/--upload-file <file> Transfer <file> to remote site
--url <URL> Set URL to work with
-B/--use-ascii Use ASCII/text transfer
-u/--user <user[:password]> Set server user and password
--tlsuser <user> Set TLS username
--tlspassword <string> Set TLS password
--tlsauthtype <string> Set TLS authentication type (default SRP)
-A/--user-agent <string> User-Agent to send to server (H)
-v/--verbose Make the operation more talkative
-V/--version Show version number and quit
-w/--write-out <format> What to output after completion
--xattr Store metadata in extended file attributes
-q If used as the first parameter disables .curlrc

Linux: curl cookie & web-login: Aruba Activate

curlを利用して、Aruba Activteにログインして、Inventory Queryを送信してAPのリストを表示する。

==========================
Step-1:
==========================
-c write, -b read

taka$ curl -c cookie.txt --data "credential_0=username&credential_1=password&destination='/api/ext/inventory.json?action=query'" https://activate.arubanetworks.com/LOGIN

--------------------------------------------
cookie.txt
--------------------------------------------
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_activate.arubanetworks.com FALSE / TRUE 0 session cb7e7fbb-7f55-42cd-ab6d-9afe3b802c65
--------------------------------------------

taka$ curl -i -b cookie.txt https://activate.arubanetworks.com/api/ext/inventory.json?action=queryHTTP/1.1 200 OK
Date: Mon, 05 May 2014 15:15:52 GMT
Cache-Control: no-cache
Content-Disposition: inline;filename=inventory.json
Content-Length: 623
Content-type: application/json; charset=utf-8
Expires: -1
Pragma: no-cache

{"info":{"api":"inventory","version":"1.4"},"message":{"text":"1 devices returned","code":0},"devices":[{"mac":"D8:C7:C8:C4:6B:EC","serialNumber":"BE0011245","partNumber":"IAP-105","status":"provisioned","folderId":"2f3362fe-a8ca-11e1-9eaf-a4badbe0f786","firstSeen":"02-13-2012","lastSeen":"04-28-2014","additionalData":{"deviceName":"AP-1","deviceFullName":"","deviceDescription":"","apGroupName":null,"folder":"default","folderId":"2f3362fe-a8ca-11e1-9eaf-a4badbe0f786","firstSeen":"02-13-2012","lastSeen":"04-28-2014","lastAosVersion":"6.3.1.4-4.0.0.5_43022","lastBootVersion":null,"sourceIpAddress":"106.188.22.200"}}]}kurokawa-no-MacBook-Air:Linux taka$

==========================
Test-2 -parameter --cookie
==========================

kurokawa-no-MacBook-Air:Linux taka$ curl -i --data "credential_0=hoge1&credential_1=hogehoge&destination='/api/ext/inventory.json?action=query'" https://activate.arubanetworks.com/LOGIN
HTTP/1.1 302 Temporary Redirect
Date: Mon, 05 May 2014 01:50:57 GMT
Content-length: 0
Location: '/api/ext/inventory.json?action=query'
Set-cookie: session=51b428d2-ab08-4f70-9c85-1450618b5783; Path=/; Secure; HttpOnly
Content-Type: text/plain; charset=UTF-8

kurokawa-no-MacBook-Air:Linux taka$ curl -i --cookie "session=e966fcd4-9824-4804-91f3-80aefee42588" https://activate.arubanetworks.com/api/ext/inventory.json?action=queryHTTP/1.1 200 OK
Date: Mon, 05 May 2014 01:51:41 GMT
Cache-Control: no-cache
Content-Disposition: inline;filename=inventory.json
Content-Length: 623
Content-type: application/json; charset=utf-8
Expires: -1
Pragma: no-cache

============================
Test-3 AWS -k option
============================
[root@ip-172-31-17-244 ~]# curl -c cookie.txt --data "credential_0=hoge1&credential_1=hogehoge&destination='/api/ext/inventory.json?action=query'" https://activate.arubanetworks.com/LOGIN
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@ip-172-31-17-244 ~]# curl -k -c cookie.txt --data "credential_0=hoge1&credential_1=hogehoge&destination='/api/ext/inventory.json?action=query'" https://activate.arubanetworks.com/LOGIN

[root@ip-172-31-17-244 ~]# curl -k -i -b cookie.txt https://activate.arubanetworks.com/api/ext/inventory.json?action=query
HTTP/1.1 200 OK
Date: Thu, 08 May 2014 10:14:42 GMT
Cache-Control: no-cache
Content-Disposition: inline;filename=inventory.json
Content-Length: 623
Content-type: application/json; charset=utf-8
Expires: -1
Pragma: no-cache

登録: 投稿 (Atom)