Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1721
Views
1
Helpful
1
Replies

restconf api call "access-denied" - Cisco CSR1000v

famunoz01
Level 1
Level 1

‎09-29-2021 08:36 PM - edited ‎09-29-2021 08:36 PM

Hi community,

I'm testing REST API calls with a Cisco router CSR1000v version 17.03.04a but when I execute the GET curl command the HTTP response is "403 forbidden" with the argument "access-denied", before that when I make an Options call the router HTTP response is 200 OK.

 

root:~#curl -i -k -X "OPTIONS" "https://192.168.122.184:443/restconf/data/Cisco-IOS-XE-native:native/logging/monitor/severity" -H 'Accept: application/yang-data+json' -u 'admin:admin'
HTTP/1.1 200 OK
Server: openresty
Date: Thu, 30 Sep 2021 03:08:50 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Allow: DELETE, GET, HEAD, PATCH, POST, PUT, OPTIONS
Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
Accept-Patch: application/yang-data+xml, application/yang-data+json
Pragma: no-cache

 

 

 

root:~#curl -i -k -X "GET" "https://192.168.122.184:443/restconf/data/ietf-interfaces:interfaces" -H 'Accept: application/yang-data+json' -u 'admin:admin'
HTTP/1.1 403 Forbidden
Server: openresty
Date: Thu, 30 Sep 2021 03:14:47 GMT
Content-Type: application/yang-data+json
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
Vary: Accept-Encoding
Pragma: no-cache

{
"errors": {
"error": [
{
"error-message": "access denied",
"error-tag": "access-denied",
"error-type": "application"
}
]
}
}

 

please can you help me to check what's wrong.

Thank you in advance.

0 Helpful
1 Reply 1

bigevilbeard
VIP
VIP

‎09-30-2021 03:34 AM

@famunoz01 you curl is good it works fine (I tested on the sandbox - you can also to test) - you might need to look at the logs on the device to see why this is being rejected.

 

(venv) STUACLAR-M-R6EU:~ stuaclar$ curl -i -k -X "GET" "https://sandbox-iosxe-latest-1.cisco.com/restconf/data/ietf-interfaces:interfaces" -H 'Accept: application/yang-data+json' -u 'developer:C1sco12345'
HTTP/2 200
server: nginx/1.13.12
date: Thu, 30 Sep 2021 10:32:05 GMT
content-type: application/yang-data+json
cache-control: private, no-cache, must-revalidate, proxy-revalidate
pragma: no-cache

{
  "ietf-interfaces:interfaces": {
    "interface": [
      {
        "name": "GigabitEthernet1",
        "description": "MANAGEMENT INTERFACE - DON'T TOUCH ME",
        "type": "iana-if-type:ethernetCsmacd",
        "enabled": true,
        "ietf-ip:ipv4": {
          "address": [
            {
              "ip": "10.10.20.48",
              "netmask": "255.255.255.0"
            }
          ]
        },
        "ietf-ip:ipv6": {
        }
      },
      {
        "name": "GigabitEthernet2",
        "description": "Trunk to RT33 Gi3",
        "type": "iana-if-type:ethernetCsmacd",
        "enabled": true,
        "ietf-ip:ipv4": {
        },
        "ietf-ip:ipv6": {
        }
      },
      {
        "name": "GigabitEthernet2.12",
        "description": "test",
        "type": "iana-if-type:ethernetCsmacd",
        "enabled": true,
        "ietf-ip:ipv4": {
        },
        "ietf-ip:ipv6": {
        }
      },
      {
        "name": "GigabitEthernet3",
        "description": "Network Interface",
        "type": "iana-if-type:ethernetCsmacd",
        "enabled": false,
        "ietf-ip:ipv4": {
          "address": [
            {
              "ip": "10.10.2.10",
              "netmask": "255.255.255.0"
            }
          ]
        },
        "ietf-ip:ipv6": {
        }
      },
      {
        "name": "Loopback0",
        "type": "iana-if-type:softwareLoopback",
        "enabled": true,
        "ietf-ip:ipv4": {
          "address": [
            {
              "ip": "10.10.10.100",
              "netmask": "255.255.255.255"
            }
          ]
        },
        "ietf-ip:ipv6": {
        }
      },
      {
        "name": "Loopback1",
        "type": "iana-if-type:softwareLoopback",
        "enabled": true,
        "ietf-ip:ipv4": {
        },
        "ietf-ip:ipv6": {
        }
      },
      {
        "name": "Loopback5",
        "description": "Demo",
        "type": "iana-if-type:softwareLoopback",
        "enabled": true,
        "ietf-ip:ipv4": {
          "address": [
            {
              "ip": "5.5.5.5",
              "netmask": "255.255.255.255"
            }
          ]
        },
        "ietf-ip:ipv6": {
        }
      },
      {
        "name": "Loopback69",
        "type": "iana-if-type:softwareLoopback",
        "enabled": true,
        "ietf-ip:ipv4": {
        },
        "ietf-ip:ipv6": {
        }
      },
      {
        "name": "Loopback100",
        "description": "Added with RESTCONF",
        "type": "iana-if-type:softwareLoopback",
        "enabled": true,
        "ietf-ip:ipv4": {
          "address": [
            {
              "ip": "172.16.100.1",
              "netmask": "255.255.255.0"
            }
          ]
        },
        "ietf-ip:ipv6": {
        }
      },
      {
        "name": "Loopback1000",
        "description": "DevNet",
        "type": "iana-if-type:softwareLoopback",
        "enabled": true,
        "ietf-ip:ipv4": {
        },
        "ietf-ip:ipv6": {
        }
      },
      {
        "name": "VirtualPortGroup0",
        "type": "iana-if-type:propVirtual",
        "enabled": true,
        "ietf-ip:ipv4": {
          "address": [
            {
              "ip": "192.168.1.1",
              "netmask": "255.255.255.0"
            }
          ]
        },
        "ietf-ip:ipv6": {
        }
      }
    ]
  }
}
Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io
Customers Also Viewed These Support Documents