10-22-2022 09:44 AM
Hello to all,
I'm starting with RESTCONF and I'm encountering an authentication problem. To validate the configuration I use a local account and then I will use the TACACS+ service.
My configuration is simple and is as follows:
Switch#show run | i http
ip http server
ip http authentication local
ip http secure-server
Switch#show run | s aaa
aaa new-model
aaa group server tacacs+ ENT_GROUP
server name Serv_P
server name Serv_S
aaa authentication login default line
aaa authentication login AAA_SSH local group ENT_GROUP
aaa authentication login AAA_CONSOLE local group ENT_GROUP
aaa authorization console
aaa authorization exec AAA_SSH local group ENT_GROUP
aaa authorization exec AAA_CONSOLE local group ENT_GROUP
aaa authorization commands 15 AAA_SSH local group ENT_GROUP
aaa authorization commands 15 AAA_CONSOLE local group ENT_GROUP
aaa accounting exec AAA_SSH start-stop group ENT_GROUP
aaa accounting exec AAA_CONSOLE start-stop group ENT_GROUP
aaa accounting commands 15 AAA_SSH stop-only group ENT_GROUP
aaa accounting commands 15 AAA_CONSOLE stop-only group ENT_GROUP
aaa session-id common
Switch#show platform software yang-management process
confd : Running
nesd : Running
syncfd : Running
ncsshd : Not Running
dmiauthd : Running
nginx : Running
ndbmand : Running
pubd : Running
gnmib : Not Running
username admin privilege 15 secret 9 XXXYYYZZZ
The error message : %DMI-5-AUTHENTICATION_FAILED: Switch 1 R0/0: dmiauthd: Authentication failure from 192.168.2.1:0 for rest over http.
curl -i -k -X "GET" "https://10.10.10.1/restconf/" -u 'admin:XXXYYYZZZ'
Thank you for your help.
10-22-2022 11:39 AM
I have not seen you have restconf enabled.
so check show run | in restconf (if that is not show any output)
config t
!
restconf
!
Also, you need authorization, not only authentication, so add the below line and test it.
aaa authorization exec default local
10-22-2022 11:54 AM
Hello,
Thank you for your reply.
Yes restconf is enabled.
Regarding the AAA configuration, the following lines are not enough ?
aaa authorization exec AAA_CONSOLE local group ENT_GROUP
aaa authorization commands 15 AAA_SSH local group ENT_GROUP
aaa authorization commands 15 AAA_CONSOLE local group ENT_GROUP
10-22-2022 12:14 PM
here is simple test i have done :
username admin privilege 15 password 0 Cisco123
aaa new-model
!
aaa authorization exec default local
ip http server
ip http authentication local
ip http secure-server
root@ub18:~# curl -i -k -X "OPTIONS" "https://10.10.9.100:443/restconf/data/Cisco-IOS-XE-native:native/logging/monitor/severity" -H 'Accept: application/yang-data+json' -u 'admin:Cisco123'
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 22 Oct 2022 19:10:58 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Allow: DELETE, GET, HEAD, PATCH, POST, PUT, OPTIONS
Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
Accept-Patch: application/yang-data+xml, application/yang-data+json
Pragma: no-cache
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide