API: Cisco ISE, FMC and ASA

How to enable API on Cisco ISE, FMC, and ASA? The first two are easy but ASA was not.

Cisco ISE.

Follow this link. Very straight forward. Check if working by going to https://ISE_FQDN:9060/ers/sdk.

Cisco Firepower Management Center (FMC).

Not very intuitive but in the nutshell follow this setup.  By default, API is enabled. You will need to setup a user account on FMC and assign it roles like Discovery Admin, Intrusion Admin, Security Analyst (Read-Only). Then check it by going to https://FMC_FQDN/api/api-explorer/.

Cisco ASA

Out of all three, I thought this one will be the easiest. I started with this link. Downloaded and installed package, but no luck as I started getting authorization errors. Next, I googled different issues with API. Came across this one.

Workaround:
Create an “enable_1” user with privilege 15 on the AAA server/Local user database. Restart the agent
no rest-api agent
rest-api agent

First, make it work with local Auth/Authz configuration.

AAA authorization command is required.

Create a local API user on ASA with priv15 and enable_1 user with priv15 (no password needed).

aaa authentication http console  LOCAL
aaa authorization command  LOCAL
username enable_1 privilege 15
username API password *** encrypted privilege 15

Disable/Re-enable API.

no rest-api agent
rest-api agent

Wait, as it takes a bit to start. Enable debug to monitor progress.

debug rest-api

Test API. If not working, add enable_15 user with priv15 to ASA and try again (for me it was not needed).

If all works, then remove enable_1 account and move to TACACS (ISE) Auth/AuthZ configuration.

To make it work with ISE, change aaa authentication, and authorization scheme to use TACACS+ and restart API.

aaa authentication http console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL

Disable/Re-enable API.

no rest-api agent
rest-api agent

Create enable_1 on ISE as a user, use some random password.

Next, add the AuthZ policy to allow API authorizations. Shell priv5 will be enough for read-only API access. Make sure API username and enable_1 are included. Also, list Network Devices permitted for API access.

Depending on how you test API keep in mind ASA is not very friendly with web browsers. Instead of going to https://ASA_IP/api/ link use https://ASA_IP/doc/. You can verify API functionality from there.

In case it does not work try another browser in incognito mode and restart API.

no rest-api agent
rest-api agent

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar