I have enabled rest:
aaa authentication login HTTP local username rest privilege 15 password 0 Krakow123 ip http server ip http authentication aaa login-authentication HTTP ip http secure-server restconf
(i have also tested ip http authentication local or without that command)
Then my curls results are the following:
$ curl -v -X POST https://192.168.1.116/api/v1/auth/token-services -H "Accept:application/json" -u "rest:Krakow123" -d "" --insecure ....... HTTP/1.1 411 Length Required
(i've set content-length to 0 in the request but that did not change anything)
I have also tried classic rest API without token and got:
<errors xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf"> <error> <error-tag>access-denied</error-tag> <error-type>protocol</error-type> </error> </errors>
Debugs on CSR:
%DMI-5-AUTHENTICATION_FAILED: R0/0: dmiauthd: Authentication failure from 192.168.1.124:0 for rest over http.
Why failing ?
OK, i've just found a solution for authentication failure (not for 411 error!)
I had exactly same issue with netconf:
To get restconf or netconf working we need to be sure the user is not only in priv15 lvl but also exec mode authorization is enabled via: aaa authorization exec default local (which puts ssh user directly in enable mode).
It would be good to update documentation to reflect that.
I am still troubleshooting my last problem - why when requesting for auth token i got 411 length required.
I have added all these commands (netconf-yang + priv 15 + aaa authorization exec default group (...))
and still have this error:
%DMI-5-AUTHENTICATION_FAILED: R0/0: dmiauthd: Authentication failure from (...) for netconf over ssh.
in python script i have error:
ncclient.transport.errors.AuthenticationError: AuthenticationException('Authentication failed.',)
while credentials 100% correct
any ideas? soft: 16.8 IOS XE
I have the same issue. I fix it by performing the following steps:
aaa authentication login default group ISE-GROUP local
aaa authorization exec default group ISE-GROUP local
aaa authentication login NOAUTH none
line console 0
login authentication NOAUTH
double check the line vty 0
i had enabled - due to copy error - no exec.
So the ssh session arrives first via line 0 that serves as a kind of template. Replacing with <exec> solved some issues :-) BUT NOT ALL
I was getting the same error with "Basic Authorization":
%DMI-5-AUTHENTICATION_FAILED: R0/0: dmiauthd: Authentication failure from 10.1.1.1:0 for rest over http
after enabling exec mode authorization it worked: # aaa authorization exec default local
%DMI-5-AUTH_PASSED: R0/0: dmiauthd: User 'devnet' authenticated successfully from 10.1.1.1:0 and was authorized for rest over http. External groups: PRIV15
And furthermore, I'm currently working on 4K ISR routers.
Apparently they where 'defaulting' with:
ip http secure-active-session-modules HTTPS
ip http timeout-policy idle 600 life 86400 requests 1000
ip http session-module-list HTTP ITS_LOCDIR,CME_EM_LOGIN,CME_SERVICE_URL,CME_AUTH_SRV_LOGIN
ip http session-module-list HTTPS ITS,WEB_EXEC,HOME_PAGE
ip http active-session-modules HTTP
This configuration did not accept the API request. Disabling this, allowed API request to the router. But - I guess this should be enabled, although I do not know today how to enable the 'API-service'. Also, I do not know that putting in the 'ip http secure-server' to enable restoconf/netconf, created the above configurations.
Good luck in your development and experimentation.
I have fixed my RESTCONF issue by just re-adjusting the privilege level of my user account.
I was using:
#ip http secure-server
#ip http authentication local
on the router, with a username that was created following:
#username admin secret cisco
It turns out that the error I was getting "authorization error" in my API call was related to the privilege level o the user
To fix it:
#username admin privilege 15