cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1849
Views
10
Helpful
6
Replies
Highlighted
Cisco Employee

IOSXE RestAPI auth failing

Hello Team,

CSR1k 16.9.1.

 

I have enabled rest:

aaa authentication login HTTP local

username rest privilege 15 password 0 Krakow123
ip http server
ip http authentication aaa login-authentication HTTP
ip http secure-server

restconf

(i have also tested ip http authentication local or without that command)

 

Then my curls results are the  following:

$ curl -v -X POST https://192.168.1.116/api/v1/auth/token-services -H "Accept:application/json" -u "rest:Krakow123" -d "" --insecure

.......

 HTTP/1.1 411 Length Required

 

Why ?

(i've set content-length to 0 in the request but that did not change anything)

 

I have also tried classic rest API without token and got:

https://{{ip}}/restconf/api/config/native

Response 401:

<errors xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf">
    <error>
        <error-tag>access-denied</error-tag>
        <error-type>protocol</error-type>
    </error>
</errors>

 Screen Shot 2018-11-09 at 10.55.27.png

 

Debugs on CSR:

%DMI-5-AUTHENTICATION_FAILED: R0/0: dmiauthd: Authentication failure from 192.168.1.124:0 for rest over http.

 

Why failing ?

Thanks,

6 REPLIES 6
Highlighted
Cisco Employee

OK, i've just found a solution for authentication failure (not for 411 error!)

I had exactly same issue with netconf:

To get restconf or netconf working we need to be sure the user is not only in priv15 lvl but also exec mode authorization is enabled via: aaa authorization exec default local (which puts ssh user directly in enable mode).

It would be good to update documentation to reflect that.

 

I am still troubleshooting my last problem - why when requesting for auth token i got 411 length required.

 

Highlighted

I have added all these commands (netconf-yang + priv 15 + aaa authorization exec default group (...))

 and still have this error:

%DMI-5-AUTHENTICATION_FAILED: R0/0: dmiauthd: Authentication failure from (...) for netconf over ssh.

 

in python script i have error:

ncclient.transport.errors.AuthenticationError: AuthenticationException('Authentication failed.',)

while credentials 100% correct

 

any ideas? soft: 16.8 IOS XE

 

 

Highlighted
Beginner

Hi,

 

I have the same issue. I fix it by performing the following steps:

 

aaa authentication login default group ISE-GROUP local
aaa authorization exec default group ISE-GROUP local
aaa authentication login NOAUTH none

 

line console 0
login authentication NOAUTH

Highlighted
Beginner

double check the line vty 0

i had enabled - due to copy error - no exec.

So the ssh session arrives first via line 0 that serves as a kind of template. Replacing with <exec> solved some issues :-) BUT NOT ALL

Highlighted
Beginner

I was getting the same error with "Basic Authorization":

%DMI-5-AUTHENTICATION_FAILED: R0/0: dmiauthd: Authentication failure from 10.1.1.1:0 for rest over http

 

after enabling exec mode authorization it worked: # aaa authorization exec default local

 

%DMI-5-AUTH_PASSED: R0/0: dmiauthd: User 'devnet' authenticated successfully from 10.1.1.1:0 and was authorized for rest over http. External groups: PRIV15
Highlighted

And furthermore, I'm currently working on 4K ISR routers.

Apparently they where 'defaulting' with:

ip http secure-active-session-modules HTTPS

ip http timeout-policy idle 600 life 86400 requests 1000

ip http session-module-list HTTP ITS_LOCDIR,CME_EM_LOGIN,CME_SERVICE_URL,CME_AUTH_SRV_LOGIN

ip http session-module-list HTTPS ITS,WEB_EXEC,HOME_PAGE

ip http active-session-modules HTTP

 

This configuration did not accept the API request. Disabling this, allowed API request to the router. But - I guess this should be enabled, although I do not know today how to enable the 'API-service'. Also, I do not know that putting in the 'ip http secure-server' to enable restoconf/netconf, created the above configurations.

Good luck in your development and experimentation.

B

 

Content for Community-Ad
Cisco Community October 2020 Spotlight Award Winners
This widget could not be displayed.