RESTCONF http server configuration with aaa

I wasn’t sure where to post this so apologies in advance if this is not the right spot.

I was recently using one of the DevNet ‘always-on’ routers to practice some REST api calls with Postman in advance of my certification exam.
I decided to check the running config of the router to see how the authN/authZ of the http server was arranged so as to enable RESTCONF communications.

I have included a screen shot that shows the ouput of show run aaa and show run | s http.

You will notice that aaa new-model has been invoked and the respective default method lists have been declared.

According to the Cisco documentation that I found on the web, the command ip http authentication aaa should also be present - but this is actually absent in the DevNet router config.
So, question #1 — why is this command missing?

Instead, ip http authentication local appears in the running config.
Question #2 — why is this command here when we have defined the default method lists that include local; ip http authentication local seems like the command one would use to invoke the username/pw database when no aaa new-model is configured.

Question # 3 — is aaa new-model required to allow RESTCONF to work or can we simply use AuthN/AuthZ with the local users database withhout aaa? ie ip http authentication local.

Question #4 — what is the correct aaa configuration for http authN/AuthZ on IOS / IOS XE that is required for RESTCONF.

It would be much appreciated if someone could kindly clear this up for me.

PS

Ok, so after writing this post, it finally dawned on me what must be happening here…

Since the DevNet router omits the ip http authentication aaa statement, and includes ip http authentication local, then it must simply use the local database without invoking aaa.

On the other hand, line vty is using the default authN/authZ method lists in aaa.

My initial confusion stems from the fact that since aaa was enabled in the configuration, then we should logically try to use aaa for the lines and for http.

So knowing this, it still begs the question of why go to the trouble of configuring aaa to only use it on the lines and not http??

Screenshot (1822)1920×1080 83.4 KB

Screenshot (2097)1920×1080 102 KB

https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/63910-aaa-control-ios-http.html#t4

Screenshot (2096)1920×1080 147 KB

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/17-13/configuration_guide/sec/b_1713_sec_9200_cg/configuring_local_authentication_and_authorization.html

Hello Sandro

First of all, thanks for following up on your post with the new information you obtained. That’s very helpful to everyone on the forum, so kudos for that!

Now you have to remember that the “always on” DevNet routers are not always set up optimally for production networks. Their purpose is to provide a “sandbox” or testbed to test out various configurations.

For questions 1 and 2, you’ve already answered them.

For question 3, yes enabling RESTCONF requires the aaa new-model command. This is necessary because RESTCONF uses HTTP-based methods which need AAA services, and this commend essentially enables these services.

For question 4, take a look at this NetworkLessons note on how to set up AAA for RESTCONF.

This goes back to the fact that these “always on” devices are sandboxes used to test various configurations. This is the initial setup, and for whatever reason it is set up that way. You can make appropriate changes in your implementation based on best practices. You shouldn’t have too much concern about the initial config that they have in the setup. Indeed it does seem a shame not to use AAA for more than just the VTY lines. In a production network you should apply AAA to all related operations.

I hope this has been helpful!

Laz

Laz,
Thank you for the feedback it was very very helpful.
By the way I’ve been following your excellent bgp videos on YouTube.
You are the best!

Sandro

Hello Sandro

Glad to be of help, and I’m glad you find my videos helpful too!

Laz