04-15-2015 07:41 AM
Trying to set up the XML API on an ASR 9K and find myself unable to authenticate with the XML API using Netcat.
I've configured the box as below:
Building configuration...
!! IOS XR Configuration 5.1.2
!! Last configuration change at Wed Apr 15 07:19:42 2015 by root
!
username xml
group sysadmin
secret 5 $1$LY8B$39t3eTXf/ajMGWnX99.ux0
password 7 07182E414C080D1657
!
aaa authorization exec default group tacacs+ local
interface MgmtEth0/RSP0/CPU0/0
ipv4 address 10.2.100.1 255.255.0.0
!
interface MgmtEth0/RSP0/CPU0/1
shutdown
!
interface TenGigE0/0/2/0
shutdown
!
interface TenGigE0/0/2/1
shutdown
!
interface TenGigE0/0/2/2
shutdown
!
interface TenGigE0/0/2/3
shutdown
!
router static
address-family ipv4 unicast
0.0.0.0/0 10.2.0.1
!
!
ssh server v2
xml agent ssl
!
xml agent tty
!
xml agent
iteration on size 100
!
end
and RP/0/RSP0/CPU0:ios# xml echo Wed Apr 15 07:27:10.765 UTC XML>
I've got two test users, root:root and xml, both of which I can connect to using SSH though the XML interface seems to reject them - using nc:
alexanderturner@Alexanders-MacBook-Pro~/Downloads> nc -v 10.2.100.1 38751
found 0 associations
found 1 connections:
1: flags=82<CONNECTED,PREFERRED>
outif en0
src 10.0.1.40 port 61066
dst 10.2.100.1 port 38751
rank info not available
TCP aux info available
Connection to 10.2.100.1 port 38751 [tcp/*] succeeded!
User Access Verification
Username: root
Password: root
User Access Verification
Is this not authing against local?
Thanks,
Alex
04-18-2015 06:34 AM
hey alex,
it is likely failing tacacs author because of this line:
aaa authorization exec default group tacacs+ local
as long as the tacacs server is available, it will try against him and if that user doesnt exist in tacacs, it will fail that shell author.
revise config to:
aaa authentication login default local
aaa authorization exec default local
have a local username available that has cisco-support/root-system
or you can also do a debug aaa author and debug tacacs and see what service is requested so taht the user profile can be updated providing that author if you like to leave the existing tacacs author in place.
cheers!
xander
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide