Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4886
Views
5
Helpful
3
Replies

ASA REST-API Authentication issues

Go to solution
HungryDog100
Level 1
Level 1

‎04-22-2019 09:39 AM

Running ASA REST-API 1.3.2.325

 

All API calls to this firewall are responding with the same message: 

"<FORM METHOD=POST autocomplete=new-password style=\"max-width:300px;margin:auto\"><HEAD><TITLE>Authorization Required</TITLE></HEAD><H2>Authorization Required!</H2><label for=user>Username</label><br><input id=user name=username type=text><br><label for=pass>Password</label><br><input id=pass name=password type=password><br><INPUT TYPE=HIDDEN NAME=csrf_token VALUE=\"(removed)\">\r\n<INPUT TYPE=submit VALUE=submit>\r\n</FORM>\n\n"

 

Has the authentication methods for the ASA API changed? I get the same response from the https://<asa-ip>/doc page when testing out API calls, too. POSTMAN too responds with this authentication problem... Whats the deal?!

 

I had been using Basic HTTP Auth for MONTHS now, and now these very standard calls get rejected due to Auth problems. Even the most simple GET ran from /doc/ page will fail with Auth issues. 

 

How can i troubleshoot this further? Literally not a single call works from https://<asa-ip>/doc, which is insane since i authenticate just to REACH that page, and its actually the ASA sending calls to itself.... Help!

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
HungryDog100
Level 1
Level 1

‎04-22-2019 10:07 AM

I've found my issue and corrected it. 

 

Within a PDF titled "About the ASA REST API v1.3.2" (revised July 9 2018)

 

Under a section titled "Token Authentication API"

The REST API client needs to send a POST request to '/api/tokenservices' with user information in the basic authentication header to get a token for that user. Subsequently, the REST API client can use this token in an 'X-Auth-Token' request header for any subsequent REST API calls. The 'token' will be valid until either it is explicitly invalidated by a 'DELETE /api/tokenservices/<token>' request, using user information in the basic authentication header, or until the session times out.
POST URL: /api/tokenservices

 

The Token will be sent back in the headers of the response, you need to grab the token and make new headers for your request like so

 

headers = {'Content-Type': 'application/json',
           'X-Auth-Token': '12DDF5@XXXX@XXXX@ABCDEFGHIJKLMNOPQRSTUVWXYZ12343567890'}

 

I had been crafting API calls for my firewalls for months now, suddenly I need this API Token to make any API calls work. Incredibly poorly documented, hopefully my efforts will help others that get snagged on this complicated authentication method that is obscured by its own documentation. 

 

View solution in original post

3 Replies 3

Go to solution
HungryDog100
Level 1
Level 1

‎04-22-2019 09:45 AM

I have been working with the newest ver of REST-API and it has notes regarding changes to the Authorization methods... which is great... but what are the changes?!

 

New Features in ASA REST API 1.3(2)-346

Released: February 28, 2019

ASA REST-API image 1.3.2-346 is a special patch which provides key changes related to Authorization, and addresses a few bugs.

 

 

0 Helpful

Go to solution
HungryDog100
Level 1
Level 1

‎04-22-2019 10:07 AM

I've found my issue and corrected it. 

 

Within a PDF titled "About the ASA REST API v1.3.2" (revised July 9 2018)

 

Under a section titled "Token Authentication API"

The REST API client needs to send a POST request to '/api/tokenservices' with user information in the basic authentication header to get a token for that user. Subsequently, the REST API client can use this token in an 'X-Auth-Token' request header for any subsequent REST API calls. The 'token' will be valid until either it is explicitly invalidated by a 'DELETE /api/tokenservices/<token>' request, using user information in the basic authentication header, or until the session times out.
POST URL: /api/tokenservices

 

The Token will be sent back in the headers of the response, you need to grab the token and make new headers for your request like so

 

headers = {'Content-Type': 'application/json',
           'X-Auth-Token': '12DDF5@XXXX@XXXX@ABCDEFGHIJKLMNOPQRSTUVWXYZ12343567890'}

 

I had been crafting API calls for my firewalls for months now, suddenly I need this API Token to make any API calls work. Incredibly poorly documented, hopefully my efforts will help others that get snagged on this complicated authentication method that is obscured by its own documentation. 

 

Go to solution
sebastien_michelet
Level 1
Level 1
In response to HungryDog100

‎11-26-2019 04:10 PM

I had the same issue until I found the release notes, new header 'User-Agent: REST API Agent' is required:

https://www.cisco.com/c/en/us/td/docs/security/asa/api/13/asa-api-rn-13.html#pgfId-142754

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card