Solved: Cant authenticate restconf with cisco ios xe

MapleMagician · ‎08-06-2021

Just about at the end of my wits here. Simply trying to make a successful API call to my csr1000v in my cisco CML 2.0 environment.

When I make the call, I get this message in the console which seems to indicate that I was authenticated

*Aug 6 13:23:05.775: %DMI-5-AUTH_PASSED: R0/0: dmiauthd: User 'cisco' authenticated successfully from 192.168.0.5:0 and was authorized for rest over http. External groups: PRIV01

However, what I get back in postman or when I run my python script is this:

{

"errors": {

"error": [

{

"error-message": "access denied",

"error-tag": "access-denied",

"error-type": "application"

}

]

}

Here is my router config (omitting some of it for brevity). This is just what I have configured now, I've tried various aaa configurations etc

Router1#show run
Building configuration...

hostname Router1
!
boot-start-marker
boot-end-marker
!
!
enable password cisco
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-213311658
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-213311658
revocation-check none
rsakeypair TP-self-signed-213311658
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
...

1
quit
crypto pki certificate chain TP-self-signed-213311658
certificate self-signed 01

license udi pid CSR1000V sn 9VGN5HCJY3E
diagnostic bootup level minimal

!
!
restconf
!
username cisco password 0 cisco
!
redundancy

interface GigabitEthernet1
ip address dhcp
negotiation auto
no mop enabled
no mop sysid

ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet1

line con 0
logging synchronous
stopbits 1
line vty 0 4
login local
transport input telnet

My python script:

import requests

import json

from cml_automationlab1 import router1

# set REST API headers

headers = {

"Accept": "application/yang-data+json",

"Content-Type": "application/yang-data+json",

}

url = f"https://{router1['ip']}:{router1['port']}/restconf/data/Cisco-IOS-XE-interfaces-oper:interfaces/interface=GigabitEthernet1"

# print(url)

response = requests.get(

url, headers=headers, auth=(router1["user"], router1["password"]), verify=False

)

api_data = response.json()

....

router1 = {"ip": "192.168.0.17", "port": "443", "user": "cisco", "password": "cisco"}

bigevilbeard · ‎08-07-2021

@MapleMagician on your device you should only need

username admin privilege 15 secret admin
!
ip http secure-server
!
restconf

I haven't tried to use DHCP on a management interface before and typically have hard coded IP addresses on my interface.

Try this test/code (update with your own router details or just run this against the devnet always on sandbox)

If this does not work, the test RESTCONF server is up and running with a curl test.

(venv) $ curl -k https://sandbox-iosxe-latest-1.cisco.com/restconf/ -u "developer:C1sco12345"
<restconf xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf">
  <data/>
  <operations/>
  <yang-library-version>2016-06-21</yang-library-version>
</restconf>

Or

curl -k https://sandbox-iosxe-latest-1.cisco.com/restconf/data/Cisco-IOS-XE-interfaces-oper:interfaces/interface=GigabitEthernet1 -u "developer:C1sco12345"

import requests
import sys
HOST = 'sandbox-iosxe-latest-1.cisco.com'
USER = 'developer'
PASS = 'C1sco12345'

requests.packages.urllib3.disable_warnings()

# set REST API headers
headers = {
    "Accept": "application/yang-data+json",
    "Content-Type": "application/yang-data+json",
}

url = f"https://{HOST}/restconf/data/Cisco-IOS-XE-interfaces-oper:interfaces/interface=GigabitEthernet1"
# print(url)

response = requests.get(url, auth=(USER, PASS),headers=headers, verify=False)

print(response.text)

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

View solution in original post

bigevilbeard · ‎08-07-2021

@MapleMagician on your device you should only need

username admin privilege 15 secret admin
!
ip http secure-server
!
restconf

I haven't tried to use DHCP on a management interface before and typically have hard coded IP addresses on my interface.

Try this test/code (update with your own router details or just run this against the devnet always on sandbox)

If this does not work, the test RESTCONF server is up and running with a curl test.

(venv) $ curl -k https://sandbox-iosxe-latest-1.cisco.com/restconf/ -u "developer:C1sco12345"
<restconf xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf">
  <data/>
  <operations/>
  <yang-library-version>2016-06-21</yang-library-version>
</restconf>

Or

curl -k https://sandbox-iosxe-latest-1.cisco.com/restconf/data/Cisco-IOS-XE-interfaces-oper:interfaces/interface=GigabitEthernet1 -u "developer:C1sco12345"

import requests
import sys
HOST = 'sandbox-iosxe-latest-1.cisco.com'
USER = 'developer'
PASS = 'C1sco12345'

requests.packages.urllib3.disable_warnings()

# set REST API headers
headers = {
    "Accept": "application/yang-data+json",
    "Content-Type": "application/yang-data+json",
}

url = f"https://{HOST}/restconf/data/Cisco-IOS-XE-interfaces-oper:interfaces/interface=GigabitEthernet1"
# print(url)

response = requests.get(url, auth=(USER, PASS),headers=headers, verify=False)

print(response.text)

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

MapleMagician · ‎08-08-2021

It works! I'm still not even entirely sure what I did wrong but I wiped the router and put in the bare minimum config that you mentioned and it worked. Thanks a lot!

bigevilbeard · ‎08-08-2021

awesome @MapleMagician i think i saw something like this before - when you had to remove restconf section of the config and add it back in - anyhoo - glad its working!

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io