cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Authenticating REST API calls to DNAC - Getting started

15150
Views
32
Helpful
9
Comments
Cisco Employee

I have seen a number of questions on the best way to authenticate a REST API call on DNA-Center.

The documentation on the DNA-C indicates that /api/system/v1/auth/token is the way to get an authentication token in a cookie.

For those writing python code or using postman, there is a simpler way to get an authentication token.

The API call /api/system/v1/auth/login uses basic authentication and returns a token in a JSON payload.

Here is an simple example in the Python REPL. First we setup the required imports (requests) and the URL for authentication along with the header.

>>> import requests

>>> from requests.auth import HTTPBasicAuth

>>> import json

>>> url = "https://adam-dnac/api/system/v1/auth/token"

>>> headers = {'content-type': 'application/json'}

We can now make a POST API call, using basic authentication and then print out the token.

>>> resp = requests.post(url, auth=HTTPBasicAuth(username='admin', password='password'), headers=headers,verify=False)

>>>

>>> token = resp.json()['Token']

>>> print token

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI1YTIwMjExY2I2MjZjOTAwOGUzMDc1NjMiLCJhdXRoU291cmNlIjoiaW50ZXJuYWwiLCJ0ZW5hbnROYW1lIjoiVE5UMCIsInJvbGVzIjpbIjVhMjAyMGU2NDQzYmE4OWZiNWQ1ZWQ0MiJdLCJ0ZW5hbnRJZCI6IjVhMjAyMTFiYjYyNmM5MDA4ZTMwNzU2MiIsImV4cCI6MTUyNTIwMzgwOCwidXNlcm5hbWUiOiJhZG1pbiJ9

This token will be required in a header for future API calls. It needs to be used in a header called x-auth-token.  I add the token to the header and I can now make authenticated API calls. This token is valid for sixty minutes, then you will need to repeat the step above.

>>> headers['x-auth-token'] = token

>>> network_device_count = requests.get('https://adam-dnac/api/v1/network-device/count', headers=headers, verify=False)

>>> print network_device_count.json()

{u'version': u'1.0', u'response': 74}

Success!!  There are 74 network devices on this controller.

For more examples of python code, please see the DevNet DNA-C learning labs https://learninglabs.cisco.com/lab/dnac-basic/step/1

I have posted a range of example in my github repository https://github.com/CiscoDevNet/dnac-samples-aradford

Good luck with the DNA-Center APIs.

Adam

9 Comments
Cisco Employee

Hi Adam

I am unable to execute any REST API successfully on sandbox dna instance (sandboxdnac.cisco.com). The error is always this:

{

    "message": "Role does not have valid permissions to access the API"

}

I am able to get auth token and sending that in the header for subsequent request as you have mentioned. Can this be an issue specific to sandbox only?

-Umesh

Cisco Employee

Are you trying GET api such as network-device?

All of the GET api should work.

I would double check the header and make sure the token is being sent.

Sent from my iPhone

Cisco Employee

My bad, I mistakenly used POST for the network-device APIs. Now it works with GET.

-Umesh

Cisco Employee

Hi Adam

 

I am trying to execute command runner api on public sandbox (sandboxdnac.cisco.com), but it fails with below error: POST /api/v1/network-device-poller/cli/read-request

{
"message": "Role does not have valid permissions to access the API"
}

 

It seems sandbox has limited permission but is there a way to make it work or some other environment to try out these APIs?

Thanks

Cisco Employee

try connecting on port 8080.  I put a proxy there to allow *some* POST api access.

Cisco Employee

Thanks Adam for quick reply. But unable to access on port 8080.

Trying to access in chrome gives below error and also doesn’t allow to accept the certificate and proceed. Same issue in postman.

Any clue or workaround?

 

sandboxdnac.cisco.com normally uses encryption to protect your information. When Google Chrome tried to connect to sandboxdnac.cisco.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be sandboxdnac.cisco.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit sandboxdnac.cisco.com right now because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.

 

Cisco Employee
Turn off certificate check in postman.
Cisco Employee

Cool, works now, thanks so much. Had to download latest postman version, the one I was using didn't have option to turn off SSL.

Cisco Employee
If that was the case, then it was good to upgrade.
Content for Community-Ad
July's Community Spotlight Awards