API REST FXOS chassis 9300 or 4100 Firepower

Answered Question
May 3rd, 2017
User Badges:

Hi,

I was reading the below documentation about API REST of chassis (FXOS):

https://developer.cisco.com/site/ssp/firepower/ 

But I haven't found more information (only it is mentioned at http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos211/cli...) about FXOS API REST.

I have two pairs of 4100 Firepower and two pairs of 9300 Firepower, and they are connected to FMC 4000. I was trying to configure both pairs from API FXOS but I couldn't authenticate to FXOS API. FMC REST API is working and I can make GET, POST, etc.

Any idea about more information about FXOS API?


My request via POSTMAN is:

POST https://<Firepower Chassis_chassis_fqdn>[:management_port]/api/login

with HTTP Headers

Content-type HTTP set to application/json

USERNAME = <name of the user>

PASSWORD = <url_encoded_password>


Output is:

ERROR 400 with Payload

{
"error-code": "551",
"error-description": "Authentication failed",
"error-nr": "unidentified-fail"
}


Thank you in advance.

Correct Answer by Veronika Klauzova about 4 weeks 1 day ago

So what output you see after using adjusted command which I have shared? Sill same error 552 as before?


Full command to be used:

curl -X POST -v -k -H "Authorization: Basic YWRtaW46VmtsYXV6b3YxMjM=" https://192.168.0.38/api/login --insecure -H "USERNAME=admin" -H "\
> Authorization:Basic YWRtaW46VmtsYXV6b3YxMjM=
> USERNAME:admin
> PASSWORD:Admin12345
> //Content-Type:application/x-www-form-urlencoded\
>
> "

Just keep in mind to change IP address 192.168.0.38 to your IP address of Firepower Chassis Manager / FXOS manager along with proper credentials, rest of the command attributes you can keep as above.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
neipatel Wed, 05/03/2017 - 08:10
User Badges:
  • Cisco Employee,

josemaria.perez,


Have you tried using basic authorization rather than directly adding the fields to the header? This will ensure that the encoding is done properly and should return a token back in the header for use in all subsequent requests. 

JOSE MARIA PERE... Thu, 05/04/2017 - 08:56
User Badges:

Hi neipatel:


Thanks for your helping. For example, If I make a curl to FMC 4000 to request the token, basic auth works but I have tried it for this case and I have the same output error. I have checked from Postman and CLI.

$ curl -k --user username:password https://<Firepower Chassis_chassis_fqdn>/api/login

Cache-Control: no-store, must-revalidate
Content-type: application/json

{"error-code": "552", "error-description": "Authorization required", "error-nr": "service-unavailable"}


Anybody know that it is working this API? FMC API is OK.

Veronika Klauzova Tue, 05/16/2017 - 13:27
User Badges:
  • Cisco Employee,

Hello,

What FCM/FXOS version are you using?


I have tried now on FXOS 2.1.1.77 and it is working fine, here is syntax as an example that you can use:

$ curl -X POST -v -k -H "Authorization: Basic YWRtaW46VmtsYXV6b3YxMjM=" https://192.168.0.38/api/login --insecure -H "USERNAME=admin" -H "\
> Authorization:Basic YWRtaW46VmtsYXV6b3YxMjM=
> USERNAME:admin
> PASSWORD:Admin12345
> //Content-Type:application/x-www-form-urlencoded\
>
> "
* Trying 192.168.0.38...
* Connected to192.168.0.38 (192.168.0.38) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* Server certificate: FPR4100
> POST /api/login HTTP/1.1
> Host:192.168.0.38
> User-Agent: curl/7.43.0
> Accept: */*
> Authorization: Basic YWRtaW46VmtsYXV6b3YxMjM=
> Authorization:Basic YWRtaW46VmtsYXV6b3YxMjM=
> USERNAME:admin
> PASSWORD:Admin12345
> //Content-Type:application/x-www-form-urlencoded
>
>
< HTTP/1.1 200 OK
< Date: Tue, 16 May 2017 20:22:41 GMT
< Server: Apache/2.4.16 (Unix) CiscoSSL/1.0.2j.6.0.269-fips
< Set-Cookie: SSA_C=2e85c9ea-9997-40d5-9f61-5805170417f9; Path=/; secure; Version=1
< Set-Cookie: SSA_T="1494966162/ea1cc996-7eff-4ba5-b95f-409fcfa34d5d"; httponly; Path=/; secure; Version=1
< Set-Cookie: SSA_U=admin; httponly; Path=/; secure; Version=1
< X-Frame-Options: SAMEORIGIN
< Cache-Control: no-cache, no-store
< Pragma: no-cache
< Transfer-Encoding: chunked
< Content-Type: application/json
<
{"token": "1494966162/ea1cc996-7eff-4ba5-b95f-409fcfa34d5d", "refreshPeriod": "600"}
* Connection #0 to host192.168.0.38 left intact

Enjoy,

Veronika

JOSE MARIA PERE... Thu, 05/25/2017 - 03:55
User Badges:

Hi Veronika,


Thank you very much for your helping. The version of FXOS is 2.1.1.64 and FMC is 6.2.0. I have tried but it doesn't work for 4100 chassis. I will update firmware and FXOS next week and I will retry to connect to API.


All the best.

Correct Answer
Veronika Klauzova Thu, 05/25/2017 - 05:31
User Badges:
  • Cisco Employee,

So what output you see after using adjusted command which I have shared? Sill same error 552 as before?


Full command to be used:

curl -X POST -v -k -H "Authorization: Basic YWRtaW46VmtsYXV6b3YxMjM=" https://192.168.0.38/api/login --insecure -H "USERNAME=admin" -H "\
> Authorization:Basic YWRtaW46VmtsYXV6b3YxMjM=
> USERNAME:admin
> PASSWORD:Admin12345
> //Content-Type:application/x-www-form-urlencoded\
>
> "

Just keep in mind to change IP address 192.168.0.38 to your IP address of Firepower Chassis Manager / FXOS manager along with proper credentials, rest of the command attributes you can keep as above.

JOSE MARIA PERE... Thu, 05/25/2017 - 08:37
User Badges:

Hi Veronika:

Now, it is working. I have the same output and I have the token :) . I think that my error was to encode my password wrong for the basic authentication.

It is working at 4100 and 9300 series.

Also, I have modified your POST request. I have deleted two headers, modified Content-Type to application/json (documentation from CISCO say: "All REST API clients must send an HTTP Accept Header that is set to application/json" from https://developer.cisco.com/site/ssp/firepower/) and curl command should be:

curl -X POST -v -k https://yourFXOS_IP/api/login --insecure -H "\
Authorization:Basic YWRtaW46VmtsYXV6b3YxMjM=
USERNAME:admin
PASSWORD:admin12345
//Content-Type:application/json\
"

For me, it is working.

Thank you very much for your helping.

Veronika Klauzova Thu, 05/25/2017 - 08:39
User Badges:
  • Cisco Employee,

You're welcome, you saved some time with upgrade that was not necessary. Glad that it works now.


By the way thanks for sharing Cisco recommendations and relevant doc.

Actions

This Discussion