Error setting up platform legacy - Cisco mobility Express

[haffi78]

Home Assistant release with the issue:

version | 0.95.4

First time use for me.

Operating environment (Hass.io/Docker/Windows/etc.):

Hassio running in Virtual

Component/platform:

https://www.home-assistant.io/components/cisco_mobility_express/

Description of problem:

Mobility express does not work, Using version 8.8.120.0 on Mobility express

Failed to authenticate with Cisco Mobility Express controller, check your username and password,

I have tried using SSL and not , also Verify SSL and not, setup a new user on the cisco and no diffrenent.

Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):

- platform: cisco_mobility_express
    host: 192.168.10.22
    username: admin
    password: xxxxxx
    ssl: false
    verify_ssl: false

Traceback (if applicable):

Log Details (ERROR)
Tue Jul 16 2019 14:30:05 GMT+0000 (GMT)

Error setting up platform legacy
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/components/device_tracker/setup.py", line 69, in async_setup_legacy
    self.platform.get_scanner, hass, {DOMAIN: self.config})
  File "/usr/local/lib/python3.7/concurrent/futures/thread.py", line 57, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/src/homeassistant/homeassistant/components/cisco_mobility_express/device_tracker.py", line 36, in get_scanner
    config.get(CONF_VERIFY_SSL))
  File "/usr/local/lib/python3.7/site-packages/ciscomobilityexpress/ciscome.py", line 38, in __init__
    self.get_system_info()
  File "/usr/local/lib/python3.7/site-packages/ciscomobilityexpress/ciscome.py", line 43, in get_system_info
    json_data = self._call_api(url)
  File "/usr/local/lib/python3.7/site-packages/ciscomobilityexpress/ciscome.py", line 90, in _call_api
    raise CiscoMELoginError("Failed to authenticate "
ciscomobilityexpress.exceptions.CiscoMELoginError: Failed to authenticate with Cisco Mobility Express controller, check your username and password.
Connection lost. Reconnecting…

Additional information:

[ghost]

Hey there @fbradyirl, mind taking a look at this issue as its been labeled with a integration (cisco_mobility_express) you are listed as a codeowner for? Thanks!

This is a automatic comment generated by codeowners-mention to help ensure issues and pull requests are seen by the right people.

[fbradyirl]

@haffi78 You are receiving a 401 from the controller which triggers that log message.

https://github.com/fbradyirl/ciscomobilityexpress/blob/cbb41c8e3b983f76001410a18c6b4f4880e964a5/ciscomobilityexpress/ciscome.py#L89

Can you check the username and password.

[fbradyirl]

@haffi78 in your case, it is the system info request which is failing.

Can you try loading this URL in a browser and enter the same credentials?

http://<controller_ip>/data/system_information.html

[haffi78]

It returns

{"sysname":"B28","sysname_tooltip":"B28","prodid":"AIR-AP1832I-E-K9","platform":"Cisco Aironet 1830 Series Mobility Express","platform_tooltip":"Cisco Aironet 1830 Series Mobility Express","serial":"KWC231605C5","version":"8.8.120.0","eversion":"","uptime":[1,0,32,47],"time":"Wed Jul 17 17:57:50 2019 ","timezone_tooltip":"","timezone":"","redund":"N/A","country":"IS - Iceland","country_tooltip":"IS - Iceland","ipaddr":"192.168.10.22","memory":"58%","apinuse":0,"apinst":0,"apmax":50,"a_clients":10,"b_clients":11,"activeAPCount":7,"wlanCount":2}

[haffi78]

I could only get 401 by canceling the auth window. If I enter wrong credentials, it just reprompts.

here is the code for cancel.

401 Unauthorized<script language="javascript">var agt=navigator.userAgent.toLowerCase();if (agt.indexOf("msie") != -1) {document.execCommand("ClearAuthenticationCache");top.location = "/";}</script>

[fbradyirl]

Interesting. So if it is basic auth then the login should work fine for you.

Only thing I can think of is either an RBAC issue in the new firmware or perhaps some issue encoding any special chars in the username or password.

Any chance you could try a user which has a simple password with no special chars?

[haffi78]

No special charcter pass is just password

Sent from my iPhone

On 17 Jul 2019, at 21:08, Finbarr Brady notifications@github.com wrote:

Interesting. So if it is basic auth then the login should work fine for you.

Only thing I can think of is either an RBAC issue in the new firmware or perhaps some issue encoding any special chars in the username or password.

Any chance you could try a user which has a simple password with no special chars?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[fbradyirl]

Could you send me the full log? Debug if possible.

I’m not sure where to go with this as you can see I am using the standard Python requests lib with simple basic auth.

https://github.com/fbradyirl/ciscomobilityexpress/blob/cbb41c8e3b983f76001410a18c6b4f4880e964a5/ciscomobilityexpress/ciscome.py#L82

[haffi78]

Not sure wich log ? And how to get them ? Ha ? Or cisco?

Sent from my iPhone

On 17 Jul 2019, at 23:13, Finbarr Brady notifications@github.com wrote:

Could you send me the full log? Debug if possible.

I’m not sure where to go with this as you can see I am using the standard Python requests lib with simple basic auth.

https://github.com/fbradyirl/ciscomobilityexpress/blob/cbb41c8e3b983f76001410a18c6b4f4880e964a5/ciscomobilityexpress/ciscome.py#L82

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[fbradyirl]

I meant the Home Assistant log if possible although the ME log would be useful also if we could see it.

[fbradyirl]

Also. What is the URL you used in the browser? Are you using https? If so, self signed certs?

[haffi78]

not much more to see in the HA log.

2019-07-18 10:04:19 INFO (SyncWorker_6) [homeassistant.loader] Loaded cisco_mobility_express from homeassistant.components.cisco_mobility_express
2019-07-18 10:04:19 INFO (SyncWorker_4) [ciscomobilityexpress.ciscome] _call_api : http://192.168.10.22/data/system_information.html

2019-07-18 10:04:19 ERROR (MainThread) [homeassistant.components.device_tracker] Error setting up platform legacy
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/components/device_tracker/setup.py", line 69, in async_setup_legacy
    self.platform.get_scanner, hass, {DOMAIN: self.config})
  File "/usr/local/lib/python3.7/concurrent/futures/thread.py", line 57, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/src/homeassistant/homeassistant/components/cisco_mobility_express/device_tracker.py", line 36, in get_scanner
    config.get(CONF_VERIFY_SSL))
  File "/usr/local/lib/python3.7/site-packages/ciscomobilityexpress/ciscome.py", line 38, in __init__
    self.get_system_info()
  File "/usr/local/lib/python3.7/site-packages/ciscomobilityexpress/ciscome.py", line 43, in get_system_info
    json_data = self._call_api(url)
  File "/usr/local/lib/python3.7/site-packages/ciscomobilityexpress/ciscome.py", line 90, in _call_api
    raise CiscoMELoginError("Failed to authenticate "
ciscomobilityexpress.exceptions.CiscoMELoginError: Failed to authenticate with Cisco Mobility Express controller, check your username and password.

[haffi78]

Cisco mobility express is setup with https and http, and selfsigned,

I tried disabling http and or https, no changes, I always use "verify_ssl: false"

Which debug do you want from the ME ?

[haffi78]

Web Mode.................................... Enable Secure Web Mode............................. Disable Secure Web Mode Cipher-Option High.......... Disable Secure Web Mode SSL Protocol................ Disable

is the way its setup now, so no SSL ( i.e. no HTTPS )

[haffi78]

might this be related ?

https://208.74.205.244/t5/automation-and-analytics/resolved-yet-another-401-error-from-prime-rest-api/m-p/3575676

[fbradyirl]

Web Mode.................................... Enable Secure Web Mode............................. Disable Secure Web Mode Cipher-Option High.......... Disable Secure Web Mode SSL Protocol................ Disable

is the way its setup now, so no SSL ( i.e. no HTTPS )

So since you made this change, did you restart the controller? And is there any change in the HA log or do you get the exact same error?

[haffi78]

No restart, but confirmed with browser that http works and not https.

No change in logs which is strange.

Sent from my iPhone

On 18 Jul 2019, at 11:21, Finbarr Brady notifications@github.com wrote:

Web Mode.................................... Enable Secure Web Mode............................. Disable Secure Web Mode Cipher-Option High.......... Disable Secure Web Mode SSL Protocol................ Disable

is the way its setup now, so no SSL ( i.e. no HTTPS )

So since you made this change, did you restart the controller? And is there any change in the HA log or do you get the exact same error?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[haffi78]

Just rebooted cisco ME, no change

Sent from my iPhone

On 18 Jul 2019, at 11:21, Finbarr Brady notifications@github.com wrote:

Web Mode.................................... Enable Secure Web Mode............................. Disable Secure Web Mode Cipher-Option High.......... Disable Secure Web Mode SSL Protocol................ Disable

is the way its setup now, so no SSL ( i.e. no HTTPS )

So since you made this change, did you restart the controller? And is there any change in the HA log or do you get the exact same error?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[fbradyirl]

@haffi78 if you have python3 installed locally on the same network, could you try running these commands and let me know what is the output.

(if you dont like doing this on your PC, you could run the commands in Docker if you have that installed, e.g. docker run -it python:3 bash)

• First execute pip3 install requests in a terminal.
• Now execute python3 in the terminal to get into the shell.

Now run:

import requests

username="cme_username"
password="cme_password"
url="http://192.168.10.22/data/system_information.html"

session = requests.Session()
response = session.get(url, auth=(username, password), verify=False)

response.status_code
response.text

[fbradyirl]

Also, the recommended supported version on the Cisco downloads page is 8.5.140.0.

I have found that the latest releases can be buggy in lots of ways, which could explain the issue you are having.

On my own setup I am running 8.5.135.0 and would be apprehensive to install the 8.8.X releases just yet.

[haffi78]

This is the result,

I am running the 8.8 train cause of lots of features I need.

>>> response.status_code
401
>>> response.text
'401 Unauthorized<script language="javascript">var agt=navigator.userAgent.toLowerCase();if (agt.indexOf("msie") != -1) {document.execCommand("ClearAuthenticationCache");top.location = "/";}</script>\r\n'
>>>
>>>

[fbradyirl]

This is the result,

I am running the 8.8 train cause of lots of features I need.

>>> response.status_code
401
>>> response.text
'401 Unauthorized<script language="javascript">var agt=navigator.userAgent.toLowerCase();if (agt.indexOf("msie") != -1) {document.execCommand("ClearAuthenticationCache");top.location = "/";}</script>\r\n'
>>>
>>>

Ok thanks. That confirms that there is nothing I can do in my code for this as the pure python requests get the same error. I think you should log a bug on Cisco for this one and hope they push a fix.

[haffi78]

This was the answer from tac...

_

As I understand from the problem description that you are facing issues with logging in 1830 ME using python. Please feel free to correct me if I am wrong.

Kindly note that python script is not supported by cisco and it is out of TAC scope. On the other hand, we can confirm whether accessing the WLC via HTTP without using a script is working or not.

Are you able to access the WLC if you enter the following username "cme_username" and password "cme_password" manually on the WLC without using a script?

This feature is not supported by cisco. Hence there’s no bug regarding this.

To set the right expectation, I am a wireless engineer and python script is out of TAC scope.

_

[haffi78]

Just downgraded to 8.5.151.0

Still no go....

Can you send your relivant config on the cisco side ?

[haffi78]

Here are two packet captures, one using the python above , another using firefox ( same client machine )

Archive.zip

[haffi78]

After analysing the communications, it seems that it is required to create an initial session(GET request) and get the sessionID cookie (Set-Cookie header) and add that to the header and then send another GET request with both the authorization header and the cookie header.

So in the second HTTP GET request we had the following headers: { 'Authorization': 'Basic aGE6UGFzc3dvcmQuMTIz', 'Cookie': 'sessionId=tcxq88d9cdiU6BABPBoNHRZWGsUrhii'}

[haffi78]

Here is the code we used to test this.

`>>>

import requests

url = 'http://192.168.10.22/data/system_information.html'

session = requests.session()

response = session.get(url) print(response.headers) {'Date': 'Wed, 07 Aug 2019 14:17:41 GMT', 'Connection': 'close', 'WWW-Authenticate': 'Basic realm="Cisco Controller"', 'Set-Cookie': 'sessionId=Sk0BJYp1UzZKAIRNmGI80U83DAIBK3r;PATH=/;HttpOnly', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'}

headers = { ... 'Authorization': 'Basic aGE6UGFzc3dvcmQuMTIz', ... 'Cookie': 'sessionId=Sk0BJYp1UzZKAIRNmGI80U83DAIBK3r' ... } print(response) <Response [401]> response = session.get(url, headers=headers) print(response) <Response [401]> print(response.headers) {'Date': 'Wed, 07 Aug 2019 14:18:55 GMT', 'Connection': 'close', 'WWW-Authenticate': 'Basic realm="Cisco Controller"', 'Set-Cookie': 'sessionId=08f3bEEhZFGKYU0y8dNyCuvbEWQy7FY;PATH=/;HttpOnly', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'} headers['Cookie'] = 'sessionId=08f3bEEhZFGKYU0y8dNyCuvbEWQy7FY' response = session.get(url, headers=headers) print(response) <Response [200]> `

[haffi78]

or a shorted version that also works....

`Type "help", "copyright", "credits" or "license" for more information.

url = 'http://192.168.10.22/data/system_information.html' headers = { ... 'Authorization': 'Basic aGE6UGFzc3dvcmQuMTIz' ... } import requests

session = requests.session()

response = session.get(url, headers=headers) print(response) <Response [401]> response = session.get(url, headers=headers) print(response) <Response [200]> `

[fbradyirl]

Ok cool good work.

So I am using requests.session which already re-cycles cookies. Looks like if I add a second retry on 401 then we might be in luck.

[haffi78]

I upgraded to newest 8.8 version and get success also there, on the test :) , so looking forward for an update! :)

[fbradyirl]

PR is now open on HA with the fix.

[haffi78]

First test show that this is still broken, im getting more debug info.

[haffi78]

this is the error,

Got 401 from http://192.168.10.22/data/system_information.html: 401 Unauthorized

however I think this might just be the first 401 error that we inital get investigating further.

[fbradyirl]

Can you post the full output?

[fbradyirl]

HA log I mean.

[haffi78]

All is working, error is just cosmatic :)

[fbradyirl]

I think the words you’re looking for is “thank you” 😜

[haffi78]

Yes yes ! Ofc , many thanks!

[kzoran]

Hi just wanted to share that i am still seeing 401 error, but its working fine

[fbradyirl]

@haffi78 I am seeing this error again on my system now. I cannot even get in using the web interface any more. It prompts me for the username and password and then gives me a blank screen.

In Postman I see this on first request:

and then on the next request a socket hangup:

Could you tell me what version of ME you are running and also paste in the results of show network summary on the CLI please?

[haffi78]

Hi, I no longer run ME just have full wlc, however thats works fine, I noted that the app Cisco Wirless for ios also needs to discover login twise, first it says it cannot connect then if you just try again it works.

[haffi78]

Here is info on the controller

[fbradyirl]

Thanks @haffi78 for the info!