I have deployed the Cisco ASA API to several of my Cisco ASAs. They are authenticating the http traffic with TACACS, and I have verified that the API is taking connections, and authenticating the user account. I also have the enable_1 user in our TACACS configuration.
The issue is when I try to use the API to update a NAT rule, I get a 'command authorization failed' error. If I run the script so that it executes a command that already exists, then it executes fine. But if I try to make it update a NAT rule then it throws this error.
Logs and configuration below:
ASA http configuration:
aaa authentication http console tacGui LOCAL
TACACS Enable_1 user config:
group = defaultUserGroup {
default service = permit
service = exec {
priv-lvl = 15
}
} #END OF defaultUserGroup
user = enable_1 {
member = defaultUserGroup
} #END OF enable_1
Rest-API Debugging
[ra agent event]: 2020-06-15 13:16:34,876 DEBUG [base] The user privilege fetched from X-asa-privilege header is:15
[ra agent event]: 2020-06-15 13:16:34,876 DEBUG [startup]
Sending following commands to the device:
nat (10.10.40.254,ATT) 2 source dynamic any interface destination static NAT1 NAT2
[ra agent event]: 2020-06-15 13:16:35,193 DEBUG [k] INFO: Cannot read preferences file /nonexistent/.asdm/data/preferences.conf.
[ra agent event]: 2020-06-15 13:16:35,205 DEBUG [k] Command (http://127.0.0.1:8112/admin/config) started
[ra agent event]: 2020-06-15 13:16:35,205 DEBUG [k] POST URL = http://127.0.0.1:8112/admin/config XML:
<?xml version="1.0" encoding="ISO-8859-1"?>
<config-data config-action="merge" errors="continue">
<cli id="0">nat (10.10.40.254,ATT) 2 source dynamic any interface destination static NAT1 NAT2</cli>
</config-data>
TACACS Logging
Mon Jun 15 09:16:35 2020 [29874]: do_author: user='enable_1'
Mon Jun 15 09:16:35 2020 [29874]: user 'enable_1' found
Mon Jun 15 09:16:35 2020 [29874]: authorize_cmd: user=enable_1, cmd=show
Mon Jun 15 09:16:35 2020 [29874]: authorization query for 'enable_1' 0 from 10.10.40.254 accepted
