Hi Alvin,
I can confirm that my POST to Login does result in a 200 OK and a valid cookie. The request that I have been testing is GET /system/vlans which is failing with 403. Your question lead me to test a POST request which I did just now. I received a 405 method not supported when POSTing
{"id": 50, "name": "bob"}
to /system/vlans. Given that the response code was not 401 but 405 leads me to think that my session auth is OK. The problem of 405 is probably with my code/url/interpretation of the API spec.
The issue isn't only affecting API access, it also prevents me from logging into the switch's GUI. For whatever reason I'm not managing to upload the image of the login failure message, but it reads
Login Failed
User not authorized to login.
Only members of built-in groups are allowed access
The message makes sense, but that I'm not a member of a group doesn't. According to the docs, priv-lvl 15 corresponds to the administrators group.
Interestingly enough, I just noticed the following
lance-the-builder# show user-group
GROUP NAME GROUP TYPE INCLUDED GROUP NUMBER OF RULES
-------------- -------------- ------------------ -------------------
administrators built-in n/a n/a
auditors built-in n/a n/a
operators built-in n/a n/a
lance-the-builder# show user information
Username : conor
Authentication type : TACACS
User group : root
User privilege level : N/A
It's interesting to note that according to the switch my user group is root and not administrators and that I have no privilege level as I assume the switch sees root and goes OK, you're the boss.
I'm guessing that my challenge is to now not end up in the root group, but rather the administrators. I'm guessing that has something to do with what Clearpass is returning to the switch. I'll keep digging.
------------------------------
Conor Cunningham
------------------------------
Original Message:
Sent: Jan 19, 2021 12:50 PM
From: Alvin Castro
Subject: Aruba CXOS REST API with Tacacs AAA
Hi Conor,
It does appear that the REST session is trying to authenticate (and one message makes it seem like it authenticated correctly). Does this occur with every API call made, or any particular one?
Thanks,
Alvin
------------------------------
Alvin Castro
Original Message:
Sent: Jan 19, 2021 11:05 AM
From: Conor Cunningham
Subject: Aruba CXOS REST API with Tacacs AAA
Hello,
Thanks for the correspondence. My event log shows this (thanks for that tip, wasn't aware of that command).
2021-01-19T16:01:00.552271+00:00 ds1-tor-01 hpe-restd[2119]: Event|4605|LOG_INFO|AMM|-|Session ended for user bob, session bSu2gMh4ZqIfC2KNvd4I8Q==2021-01-19T16:01:00.550404+00:00 ds1-tor-01 hpe-restd[2119]: Event|4608|LOG_INFO|AMM|-|Authorization allowed for user bob, for resource SessionMgmt, with action POST2021-01-19T16:01:00.518497+00:00 ds1-tor-01 hpe-restd[2119]: Event|4606|LOG_ERR|AMM|-|Authorization failed for user bob, for resource Banner, with action GET2021-01-19T16:01:00.508342+00:00 ds1-tor-01 hpe-restd[2119]: Event|4604|LOG_INFO|AMM|-|Session started for user bob, session bSu2gMh4ZqIfC2KNvd4I8Q==2021-01-19T16:01:00.507759+00:00 ds1-tor-01 hpe-restd[2119]: Event|4602|LOG_INFO|AMM|-|Authentication succeeded for user bob in session bSu2gMh4ZqIfC2KNvd4I8Q==
I find it strange that authorisation for GET is denied, but is permitted for POST - I would typically expect that to be the other way around.
I'll do some more digging and come back here with any other relevant logs and info.
------------------------------
Conor Cunningham
Original Message:
Sent: Jan 19, 2021 05:52 AM
From: Alexis La Goutte
Subject: Aruba CXOS REST API with Tacacs AAA
Hello,
What do you have on the log ? (show events -r)
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
Original Message:
Sent: Jan 18, 2021 09:34 AM
From: Conor Cunningham
Subject: Aruba CXOS REST API with Tacacs AAA
I'm building a new network for a customer with some CXOS 8320 switches in two separate VSXs. I've been happily using the REST API until I setup AAA to Clearpass which has resulted in me getting a 403 every time I try to read from an endpoint.
I can SSH into the switches and perform all commands so I suspect it has something to do with authorisation.
Here is my AAA config
```
tacacs-server host clearpass.domain.com key ciphertext 12345 vrf mgmt
!
aaa group server tacacs clearpass
server clearpass.domain.com vrf mgmt
aaa authentication login ssh group tacacs local
aaa authentication login console group tacacs local
aaa authentication login https-server group tacacs local
aaa authentication login default group tacacs local
aaa authorization commands ssh group tacacs local
aaa authorization commands console group local
aaa authorization commands default group tacacs local
```
And my HTTP configuration
```
https-server vrf mgmt
https-server rest access-mode read-write # this is the default
```
I can't find any tips in the cxos security doc and I can see any commands in the OS itself which look like they grant permissions for the API.
Clearpass is sending an attribute of `priv-lvl 15` which should map to the local Adminstrators group. This appears to be working as when I login via SSH I have full read-write access.
Any help much appreciated!
Cheers,
Lordboringhenry
------------------------------
Conor Cunningham
------------------------------