cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21854
Views
37
Helpful
10
Comments
aradford
Cisco Employee
Cisco Employee

I have seen a number of questions on the best way to authenticate a REST API call on DNA-Center.

The documentation on the DNA-C indicates that /api/system/v1/auth/token is the way to get an authentication token in a cookie.

For those writing python code or using postman, there is a simpler way to get an authentication token.

The API call /api/system/v1/auth/login uses basic authentication and returns a token in a JSON payload.

Here is an simple example in the Python REPL. First we setup the required imports (requests) and the URL for authentication along with the header.

>>> import requests

>>> from requests.auth import HTTPBasicAuth

>>> import json

>>> url = "https://adam-dnac/api/system/v1/auth/token"

>>> headers = {'content-type': 'application/json'}

We can now make a POST API call, using basic authentication and then print out the token.

>>> resp = requests.post(url, auth=HTTPBasicAuth(username='admin', password='password'), headers=headers,verify=False)

>>>

>>> token = resp.json()['Token']

>>> print token

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI1YTIwMjExY2I2MjZjOTAwOGUzMDc1NjMiLCJhdXRoU291cmNlIjoiaW50ZXJuYWwiLCJ0ZW5hbnROYW1lIjoiVE5UMCIsInJvbGVzIjpbIjVhMjAyMGU2NDQzYmE4OWZiNWQ1ZWQ0MiJdLCJ0ZW5hbnRJZCI6IjVhMjAyMTFiYjYyNmM5MDA4ZTMwNzU2MiIsImV4cCI6MTUyNTIwMzgwOCwidXNlcm5hbWUiOiJhZG1pbiJ9

This token will be required in a header for future API calls. It needs to be used in a header called x-auth-token.  I add the token to the header and I can now make authenticated API calls. This token is valid for sixty minutes, then you will need to repeat the step above.

>>> headers['x-auth-token'] = token

>>> network_device_count = requests.get('https://adam-dnac/api/v1/network-device/count', headers=headers, verify=False)

>>> print network_device_count.json()

{u'version': u'1.0', u'response': 74}

Success!!  There are 74 network devices on this controller.

For more examples of python code, please see the DevNet DNA-C learning labs https://learninglabs.cisco.com/lab/dnac-basic/step/1

I have posted a range of example in my github repository https://github.com/CiscoDevNet/dnac-samples-aradford

Good luck with the DNA-Center APIs.

Adam

10 Comments
uwankhed
Cisco Employee
Cisco Employee

Hi Adam

I am unable to execute any REST API successfully on sandbox dna instance (sandboxdnac.cisco.com). The error is always this:

{

    "message": "Role does not have valid permissions to access the API"

}

I am able to get auth token and sending that in the header for subsequent request as you have mentioned. Can this be an issue specific to sandbox only?

-Umesh

aradford
Cisco Employee
Cisco Employee

Are you trying GET api such as network-device?

All of the GET api should work.

I would double check the header and make sure the token is being sent.

Sent from my iPhone

uwankhed
Cisco Employee
Cisco Employee

My bad, I mistakenly used POST for the network-device APIs. Now it works with GET.

-Umesh

uwankhed
Cisco Employee
Cisco Employee

Hi Adam

 

I am trying to execute command runner api on public sandbox (sandboxdnac.cisco.com), but it fails with below error: POST /api/v1/network-device-poller/cli/read-request

{
"message": "Role does not have valid permissions to access the API"
}

 

It seems sandbox has limited permission but is there a way to make it work or some other environment to try out these APIs?

Thanks

aradford
Cisco Employee
Cisco Employee

try connecting on port 8080.  I put a proxy there to allow *some* POST api access.

uwankhed
Cisco Employee
Cisco Employee

Thanks Adam for quick reply. But unable to access on port 8080.

Trying to access in chrome gives below error and also doesn’t allow to accept the certificate and proceed. Same issue in postman.

Any clue or workaround?

 

sandboxdnac.cisco.com normally uses encryption to protect your information. When Google Chrome tried to connect to sandboxdnac.cisco.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be sandboxdnac.cisco.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit sandboxdnac.cisco.com right now because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.

 

aradford
Cisco Employee
Cisco Employee
Turn off certificate check in postman.
uwankhed
Cisco Employee
Cisco Employee

Cool, works now, thanks so much. Had to download latest postman version, the one I was using didn't have option to turn off SSL.

aradford
Cisco Employee
Cisco Employee
If that was the case, then it was good to upgrade.
abhijitbakale96
Level 1
Level 1

I am however facing the same issue as the postman replied with 

"message": "Role does not have valid permissions to access the API"
 
while trying to access command runner request!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: