Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1003
Views
0
Helpful
0
Replies

Cisco ASA API Command Authorization Failed

DevinMarks3331
Level 1
Level 1

‎06-15-2020 06:37 AM

I have deployed the Cisco ASA API to several of my Cisco ASAs.  They are authenticating the http traffic with TACACS, and I have verified that the API is taking connections, and authenticating the user account.  I also have the enable_1 user in our TACACS configuration.

 

The issue is when I try to use the API to update a NAT rule, I get a 'command authorization failed' error.  If I run the script so that it executes a command that already exists, then it executes fine.  But if I try to make it update a NAT rule then it throws this error.

 

Logs and configuration below:

 

ASA http configuration:

aaa authentication http console tacGui LOCAL

 

TACACS Enable_1 user config:

group = defaultUserGroup {
default service = permit
service = exec {
priv-lvl = 15
}

} #END OF defaultUserGroup

 

user = enable_1 {
member = defaultUserGroup
} #END OF enable_1

 

Rest-API Debugging

[ra agent event]: 2020-06-15 13:16:34,876 DEBUG [base] The user privilege fetched from X-asa-privilege header is:15

[ra agent event]: 2020-06-15 13:16:34,876 DEBUG [startup]

Sending following commands to the device:
nat (10.10.40.254,ATT) 2 source dynamic any interface destination static NAT1 NAT2

 


[ra agent event]: 2020-06-15 13:16:35,193 DEBUG [k] INFO: Cannot read preferences file /nonexistent/.asdm/data/preferences.conf.

[ra agent event]: 2020-06-15 13:16:35,205 DEBUG [k] Command (http://127.0.0.1:8112/admin/config) started

[ra agent event]: 2020-06-15 13:16:35,205 DEBUG [k] POST URL = http://127.0.0.1:8112/admin/config XML:
<?xml version="1.0" encoding="ISO-8859-1"?>
<config-data config-action="merge" errors="continue">
<cli id="0">nat (10.10.40.254,ATT) 2 source dynamic any interface destination static NAT1 NAT2</cli>
</config-data>

 

TACACS Logging

Mon Jun 15 09:16:35 2020 [29874]: do_author: user='enable_1'
Mon Jun 15 09:16:35 2020 [29874]: user 'enable_1' found
Mon Jun 15 09:16:35 2020 [29874]: authorize_cmd: user=enable_1, cmd=show
Mon Jun 15 09:16:35 2020 [29874]: authorization query for 'enable_1' 0 from 10.10.40.254 accepted

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents