topic Re: ASA REST-API Authentication issues in Network Security

ASA REST-API Authentication issues

HungryDog100 — Mon, 22 Apr 2019 16:39:28 GMT

Running ASA REST-API 1.3.2.325

All API calls to this firewall are responding with the same message:

"<FORM METHOD=POST autocomplete=new-password style=\"max-width:300px;margin:auto\"><HEAD><TITLE>Authorization Required</TITLE></HEAD><H2>Authorization Required!</H2><label for=user>Username</label><br><input id=user name=username type=text><br><label for=pass>Password</label><br><input id=pass name=password type=password><br><INPUT TYPE=HIDDEN NAME=csrf_token VALUE=\"(removed)\">\r\n<INPUT TYPE=submit VALUE=submit>\r\n</FORM>\n\n"

Has the authentication methods for the ASA API changed? I get the same response from the https://<asa-ip>/doc page when testing out API calls, too. POSTMAN too responds with this authentication problem... Whats the deal?!

I had been using Basic HTTP Auth for MONTHS now, and now these very standard calls get rejected due to Auth problems. Even the most simple GET ran from /doc/ page will fail with Auth issues.

How can i troubleshoot this further? Literally not a single call works from https://<asa-ip>/doc, which is insane since i authenticate just to REACH that page, and its actually the ASA sending calls to itself.... Help!

Re: ASA REST-API Authentication issues

HungryDog100 — Mon, 22 Apr 2019 16:45:29 GMT

I have been working with the newest ver of REST-API and it has notes regarding changes to the Authorization methods... which is great... but what are the changes?!

New Features in ASA REST API 1.3(2)-346

Released: February 28, 2019

ASA REST-API image 1.3.2-346 is a special patch which provides key changes related to Authorization, and addresses a few bugs.

Re: ASA REST-API Authentication issues

HungryDog100 — Mon, 22 Apr 2019 17:07:46 GMT

I've found my issue and corrected it.

Within a PDF titled "About the ASA REST API v1.3.2" (revised July 9 2018)

Under a section titled "Token Authentication API"

The REST API client needs to send a POST request to '/api/tokenservices' with user information in the basic authentication header to get a token for that user. Subsequently, the REST API client can use this token in an 'X-Auth-Token' request header for any subsequent REST API calls. The 'token' will be valid until either it is explicitly invalidated by a 'DELETE /api/tokenservices/<token>' request, using user information in the basic authentication header, or until the session times out.
POST URL: /api/tokenservices

The Token will be sent back in the headers of the response, you need to grab the token and make new headers for your request like so

headers = {'Content-Type': 'application/json',
           'X-Auth-Token': '12DDF5@XXXX@XXXX@ABCDEFGHIJKLMNOPQRSTUVWXYZ12343567890'}

I had been crafting API calls for my firewalls for months now, suddenly I need this API Token to make any API calls work. Incredibly poorly documented, hopefully my efforts will help others that get snagged on this complicated authentication method that is obscured by its own documentation.

Re: ASA REST-API Authentication issues

sebastien_michelet — Wed, 27 Nov 2019 00:10:43 GMT

I had the same issue until I found the release notes, new header 'User-Agent: REST API Agent' is required:

https://www.cisco.com/c/en/us/td/docs/security/asa/api/13/asa-api-rn-13.html#pgfId-142754