topic Re: IOSXE - RESTCONF authentication failure in Communities of Interest

IOSXE - RESTCONF authentication failure

TelesEC — Sat, 22 Oct 2022 16:44:47 GMT

Hello to all,
I'm starting with RESTCONF and I'm encountering an authentication problem. To validate the configuration I use a local account and then I will use the TACACS+ service.
My configuration is simple and is as follows:

Switch#show run | i http
ip http server
ip http authentication local
ip http secure-server

Switch#show run | s aaa
aaa new-model
aaa group server tacacs+ ENT_GROUP
server name Serv_P
server name Serv_S
aaa authentication login default line
aaa authentication login AAA_SSH local group ENT_GROUP
aaa authentication login AAA_CONSOLE local group ENT_GROUP
aaa authorization console
aaa authorization exec AAA_SSH local group ENT_GROUP
aaa authorization exec AAA_CONSOLE local group ENT_GROUP
aaa authorization commands 15 AAA_SSH local group ENT_GROUP
aaa authorization commands 15 AAA_CONSOLE local group ENT_GROUP
aaa accounting exec AAA_SSH start-stop group ENT_GROUP
aaa accounting exec AAA_CONSOLE start-stop group ENT_GROUP
aaa accounting commands 15 AAA_SSH stop-only group ENT_GROUP
aaa accounting commands 15 AAA_CONSOLE stop-only group ENT_GROUP
aaa session-id common

Switch#show platform software yang-management process
confd : Running
nesd : Running
syncfd : Running
ncsshd : Not Running
dmiauthd : Running
nginx : Running
ndbmand : Running
pubd : Running
gnmib : Not Running

username admin privilege 15 secret 9 XXXYYYZZZ

The error message : %DMI-5-AUTHENTICATION_FAILED: Switch 1 R0/0: dmiauthd: Authentication failure from 192.168.2.1:0 for rest over http.

curl -i -k -X "GET" "https://10.10.10.1/restconf/" -u 'admin:XXXYYYZZZ'

Thank you for your help.

Re: IOSXE - RESTCONF authentication failure

balaji.bandi — Sat, 22 Oct 2022 18:39:22 GMT

I have not seen you have restconf enabled.

so check show run | in restconf (if that is not show any output)

config t

restconf

Also, you need authorization, not only authentication, so add the below line and test it.

aaa authorization exec default local

Re: IOSXE - RESTCONF authentication failure

TelesEC — Sat, 22 Oct 2022 18:54:21 GMT

Hello,

Thank you for your reply.
Yes restconf is enabled.
Regarding the AAA configuration, the following lines are not enough ?

aaa authorization exec AAA_CONSOLE local group ENT_GROUP
aaa authorization commands 15 AAA_SSH local group ENT_GROUP
aaa authorization commands 15 AAA_CONSOLE local group ENT_GROUP

Re: IOSXE - RESTCONF authentication failure

balaji.bandi — Sat, 22 Oct 2022 19:14:34 GMT

here is simple test i have done :

username admin privilege 15 password 0 Cisco123

aaa new-model
!
aaa authorization exec default local

ip http server
ip http authentication local
ip http secure-server

root@ub18:~# curl -i -k -X "OPTIONS" "https://10.10.9.100:443/restconf/data/Cisco-IOS-XE-native:native/logging/monitor/severity" -H 'Accept: application/yang-data+json' -u 'admin:Cisco123'
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 22 Oct 2022 19:10:58 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Allow: DELETE, GET, HEAD, PATCH, POST, PUT, OPTIONS
Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
Accept-Patch: application/yang-data+xml, application/yang-data+json
Pragma: no-cache