03-18-2024 05:55 AM
Hi All,
I configured rest-api and cisco asa but when I try to connect through the hhps://cisco-asa-ip:443/api it requires user/pass, so already created a local user but when I try to log in it is complaining from "Authorization Required" The below configuration for the aaa Authentication and Authorization.
aaa-server tacacs-v protocol tacacs+
aaa-server tacacs-v (admin) host 1.1.1.1
aaa authentication ssh console tacacs-v LOCAL
aaa authentication serial console tacacs-v LOCAL
aaa authentication http console LOCAL
aaa local authentication attempts max-fail 5
aaa authorization exec authentication-server
aaa authorization http console LOCAL
BR,
OBadr
Solved! Go to Solution.
03-18-2024 02:32 PM - edited 03-18-2024 03:02 PM
I have tested on my ASA version 9.12.14 it took the asa about 30+ minutes to initiate the rest-api services on asa (then page started to load up with api) with similar to your configuration. First the page was not loading and I was keep getting the message "Authorization Required" but later on it worked as said after 30+ minutes.
Have you enable and install the api-packages on the asa?
show run rest-api
!
rest-api image flash:asa-restapi-7161-lfbff-k8.SPA
rest-api agent
NOTE while testing I noted the url you have to specfied is "https://x.x.x.x/doc/#" this works.
but if you write the url as "https://x.x.x.x/api" that does not work at all and you always get this error "Authorization Required".
however with url "https://x.x.x.x/doc/#" you can perform all the functions on the api web-page. it display all the action you can perform with GET/POST/PATCH/DEL.
03-18-2024 06:55 AM - edited 03-18-2024 11:56 AM
@Omar Badr check answer of @Marius Gunnerud his answer is prefect better than my
MHM
03-18-2024 11:21 AM
Please issue the command "show rest-api agent".
Also, provide all commands you have issued when setting up the API agent for ASA. Verify that your user has sufficient privileges to issue the API calls you are trying to use:
level 3 for monitoring calls
level 5 for GET calls
level 15 for all calls
03-18-2024 02:32 PM - edited 03-18-2024 03:02 PM
I have tested on my ASA version 9.12.14 it took the asa about 30+ minutes to initiate the rest-api services on asa (then page started to load up with api) with similar to your configuration. First the page was not loading and I was keep getting the message "Authorization Required" but later on it worked as said after 30+ minutes.
Have you enable and install the api-packages on the asa?
show run rest-api
!
rest-api image flash:asa-restapi-7161-lfbff-k8.SPA
rest-api agent
NOTE while testing I noted the url you have to specfied is "https://x.x.x.x/doc/#" this works.
but if you write the url as "https://x.x.x.x/api" that does not work at all and you always get this error "Authorization Required".
however with url "https://x.x.x.x/doc/#" you can perform all the functions on the api web-page. it display all the action you can perform with GET/POST/PATCH/DEL.
03-20-2024 03:26 AM
Hi @Sheraz.Salim
Yes, thanks it is fixed but now I am trying to control the user privilege because when I log in by test user and configure the privilege 5, I see the test user has all GET - PUT - PATCH - POST - DELETE, do you know how to control that?
BR Omar
03-20-2024 04:40 AM
you are doing a LOCAL http authencation in that case for priv-5 you can narrow it down with giving the following configurations.
I have not tested these configuration they might work or might not. But as an example below something like this might work for you.
! Create a custom role for Read Only access
privilege cmd level 5 mode exec command http get
privilege cmd level 5 mode exec command http head
privilege cmd level 5 mode exec command http-options
privilege cmd level 5 mode exec command http-param
privilege cmd level 5 mode exec command url-server
privilege show level 5 command context
privilege show level 5 command mode
privilege show level 5 command users
privilege show level 5 command running-config
privilege show level 5 command version
! Assign the custom role to a test user
username testuser password <drere£$"asdf> privilege 5
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide