Cisco Cisco ASA 5555-X Adaptive Security Appliance
About the ASA REST API v1.2.1
Token Authentication API
Token Authentication API
26
AAA validation failure/ Authorization header not present 401 Unauthorized
Authentication success
204 No Content + X-Auth-Token <token id> (header)
Can’t get username/password from the header or any
other sanity check failures
400 Bad Request.
Maximum sessions reached
503 Service unavailable
Note: The maximum sessions per context is 25.
To delete a token. DELETE URL: /pai/tokenservices/<token>
Request payload is empty and user information should be in basic authentication header. The response could be as
follows.
Reason
HTTP Status Code
AAA validation failure/ Invalid token
401 Unauthorized
Success
204 No Content
Can’t get user name/password from the header or any
other sanity check failures
400 Bad Request.
Notes:
The existing syslogs 605004 and 605005 will be used for create/delete a token.
Existing syslog 109033 will also be used for the case where “Challenge” is requested by the authentication server to
inform the user that it is “unsupported.”
inform the user that it is “unsupported.”
When a REST API request is received, first it checks for 'X-Auth-Token' header and if it not present then it will fall back
to basic authentication.
The token authentication will not conform to Oauth 2.0
specification.
The generated token database will be in the memory on ASA and will not be replicated across failover pair or clustering.
What this means is that, if in within a failover pair, failover happens or cluster master device changes, the authentication
needs to be performed again.
For a multi-context device the token is received for admin context, and it can be used for configuring any other context
as well.