Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
0
Helpful
1
Replies

XML API Authentication Fails

alexturner121
Level 1
Level 1

‎04-15-2015 07:41 AM

Trying to set up the XML API on an ASR 9K and find myself unable to authenticate with the XML API using Netcat.

I've configured the box as below:

Building configuration...
!! IOS XR Configuration 5.1.2
!! Last configuration change at Wed Apr 15 07:19:42 2015 by root
!
username xml
group sysadmin
secret 5 $1$LY8B$39t3eTXf/ajMGWnX99.ux0
password 7 07182E414C080D1657
!
aaa authorization exec default group tacacs+ local
interface MgmtEth0/RSP0/CPU0/0
ipv4 address 10.2.100.1 255.255.0.0
!
interface MgmtEth0/RSP0/CPU0/1
 shutdown
!
interface TenGigE0/0/2/0
 shutdown
!
interface TenGigE0/0/2/1
 shutdown
!
interface TenGigE0/0/2/2
 shutdown
!
interface TenGigE0/0/2/3
 shutdown
!
router static
 address-family ipv4 unicast
  0.0.0.0/0 10.2.0.1
 !
!
ssh server v2
xml agent ssl
!
xml agent tty
!
xml agent
iteration on size 100
!
end

and RP/0/RSP0/CPU0:ios# xml echo Wed Apr 15 07:27:10.765 UTC XML>

I've got two test users, root:root and xml, both of which I can connect to using SSH though the XML interface seems to reject them - using nc:

alexanderturner@Alexanders-MacBook-Pro~/Downloads> nc -v 10.2.100.1 38751
found 0 associations
found 1 connections:
    1:  flags=82<CONNECTED,PREFERRED>
    outif en0
    src 10.0.1.40 port 61066
    dst 10.2.100.1 port 38751
    rank info not available
    TCP aux info available

Connection to 10.2.100.1 port 38751 [tcp/*] succeeded!


User Access Verification

Username: root
Password: root


User Access Verification

Is this not authing against local?

Thanks,

Alex

Labels:
0 Helpful
1 Reply 1

xthuijs
Cisco Employee
Cisco Employee

‎04-18-2015 06:34 AM

hey alex,

it is likely failing tacacs author because of this line:

aaa authorization exec default group tacacs+ local

as long as the tacacs server is available, it will try against him and if that user doesnt exist in tacacs, it will fail that shell author.

revise config to:

aaa authentication login default local

aaa authorization exec default local

have a local username available that has cisco-support/root-system

or you can also do a debug aaa author and debug tacacs and see what service is requested so taht the user profile can be updated providing that author if you like to leave the existing tacacs author in place.

cheers!

xander

0 Helpful
Customers Also Viewed These Support Documents