Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
358
Views
1
Helpful
5
Replies

Cisco ASA 9.12 ASDM access issue!

Go to solution
Omar Badr
Level 1
Level 1

‎03-18-2024 05:55 AM

Hi All,

I configured rest-api and cisco asa but when I try to connect through the hhps://cisco-asa-ip:443/api it requires user/pass, so already created a local user but when I try to log in it is complaining from "Authorization Required" The below configuration for the aaa Authentication and Authorization.

aaa-server tacacs-v protocol tacacs+
aaa-server tacacs-v (admin) host 1.1.1.1
aaa authentication ssh console tacacs-v LOCAL
aaa authentication serial console tacacs-v LOCAL
aaa authentication http console LOCAL
aaa local authentication attempts max-fail 5
aaa authorization exec authentication-server
aaa authorization http console LOCAL

BR,

OBadr

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP

‎03-18-2024 02:32 PM - edited ‎03-18-2024 03:02 PM

I have tested on my ASA version 9.12.14 it took the asa about 30+ minutes to initiate the rest-api services on asa (then page started to load up with api) with similar to your configuration. First the page was not loading and I was keep getting the message "Authorization Required" but later on it worked as said after 30+ minutes.

Have you enable and install the api-packages on the asa?

 

show run rest-api
!
rest-api image flash:asa-restapi-7161-lfbff-k8.SPA
rest-api agent

 

 

NOTE while testing I noted the url you have to specfied is "https://x.x.x.x/doc/#" this works.

but if you write the url as "https://x.x.x.x/api" that does not work at all and you always get this error "Authorization Required".

however with url "https://x.x.x.x/doc/#" you can perform all the functions on the api web-page. it display all the action you can perform with GET/POST/PATCH/DEL.

api.PNG

please do not forget to rate.

View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎03-18-2024 06:55 AM - edited ‎03-18-2024 11:56 AM

@Omar Badr  check answer of @Marius Gunnerud  his answer is prefect better than my

MHM

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎03-18-2024 11:21 AM

Please issue the command "show rest-api agent".

Also, provide all commands you have issued when setting up the API agent for ASA.  Verify that your user has sufficient privileges to issue the API calls you are trying to use:

level 3 for monitoring calls

level 5 for GET calls

level 15 for all calls

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP

‎03-18-2024 02:32 PM - edited ‎03-18-2024 03:02 PM

I have tested on my ASA version 9.12.14 it took the asa about 30+ minutes to initiate the rest-api services on asa (then page started to load up with api) with similar to your configuration. First the page was not loading and I was keep getting the message "Authorization Required" but later on it worked as said after 30+ minutes.

Have you enable and install the api-packages on the asa?

 

show run rest-api
!
rest-api image flash:asa-restapi-7161-lfbff-k8.SPA
rest-api agent

 

 

NOTE while testing I noted the url you have to specfied is "https://x.x.x.x/doc/#" this works.

but if you write the url as "https://x.x.x.x/api" that does not work at all and you always get this error "Authorization Required".

however with url "https://x.x.x.x/doc/#" you can perform all the functions on the api web-page. it display all the action you can perform with GET/POST/PATCH/DEL.

api.PNG

please do not forget to rate.

Go to solution
Omar Badr
Level 1
Level 1
In response to Sheraz.Salim

‎03-20-2024 03:26 AM

Hi @Sheraz.Salim 
Yes, thanks it is fixed but now I am trying to control the user privilege because when I log in by test user and configure the privilege 5, I see the test user has all GET - PUT - PATCH - POST - DELETE, do you know how to control that?

BR Omar

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to Omar Badr

‎03-20-2024 04:40 AM

you are doing a LOCAL http authencation in that case for priv-5 you can narrow it down with giving the following configurations.

I have not tested these configuration they might work or might not. But as an example below something like this might work for you.

! Create a custom role for Read Only access
privilege cmd level 5 mode exec command http get
privilege cmd level 5 mode exec command http head
privilege cmd level 5 mode exec command http-options
privilege cmd level 5 mode exec command http-param
privilege cmd level 5 mode exec command url-server

privilege show level 5 command context
privilege show level 5 command mode
privilege show level 5 command users

privilege show level 5 command running-config
privilege show level 5 command version

! Assign the custom role to a test user
username testuser password <drere£$"asdf> privilege 5

 

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card