Courseiva
AutomationCCNA 200-301

Python Script Getting 401 Error from IOS XE RESTCONF

Presenting Symptom

A Python script using RESTCONF to configure an IOS XE device returns a 401 Unauthorized error.

Network Context

The network is an enterprise campus with a Cisco Catalyst 9300 running IOS XE 17.3 as the management device. The engineer is using a Python script with the requests library to automate configuration changes via RESTCONF. The script uses HTTPS and basic authentication.

Diagnostic Steps

1

Verify RESTCONF is enabled on the device

show restconf
RESTCONF is enabled on port 443

If RESTCONF is not enabled, the script cannot connect. Look for 'RESTCONF is enabled' in the output.

2

Check authentication credentials

show running-config | include username
username admin privilege 15 secret 5 $1$...

Ensure the username used in the script exists and has privilege 15. If not, the script will get a 401 error.

3

Verify HTTP authentication method

show running-config | include ip http authentication
ip http authentication local

The authentication method must be 'local' for local user authentication. If it's 'aaa' or something else, the script may fail.

4

Check if HTTPS is enabled

show running-config | include ip http secure-server
ip http secure-server

HTTPS must be enabled for RESTCONF. If missing, enable it with 'ip http secure-server'.

Root Cause

The Python script is using HTTP basic authentication but the device is configured with AAA authentication or the username/password is incorrect. In this case, the device has 'ip http authentication aaa' configured, which requires AAA authentication, not local user authentication.

Resolution

Change the HTTP authentication method to local and ensure the username has privilege 15: configure terminal ip http authentication local username admin privilege 15 secret cisco123 end write memory

Verification

Run the Python script again. Expected output: HTTP 200 OK with the configuration applied. Also verify with 'show restconf' that RESTCONF is operational.

Prevention

1. Always verify the authentication method matches the script's authentication type. 2. Use HTTPS with strong passwords. 3. Test RESTCONF with a simple GET request before running automation scripts.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario tests understanding of RESTCONF and device management. Expect multiple-choice questions about RESTCONF requirements (HTTPS, authentication, port 443) or troubleshooting 401 errors. Key fact: RESTCONF requires HTTPS and local authentication by default.

Exam Tips

1.

Remember that RESTCONF uses HTTPS (port 443) and requires 'ip http secure-server' and 'ip http authentication local'.

2.

A 401 error typically indicates authentication failure; check username, password, and authentication method.

3.

Know that 'ip http authentication local' is needed for local user authentication with RESTCONF.

Commands Used in This Scenario

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions