Fortisiem Auth failure to API Access forbidden", "Wrong integration type for this API

len.holloway · ‎07-01-2021

Hi,

We are trying to integrate Fortiseim via API with DUO. Hoping someone has seen this error before and can help?

Getting auth failures Access forbidden", “message_detail”: "Wrong integration type for this API
Looked into reponse errors on DUO and looked like below;

From documentation:
40301 Access forbidden
EXPLANATION: The ikey belongs to an application that does not have permission to access the requested feature. For example, using an Auth API ikey with Admin API URLs, attempting to modify users with an Admin API ikey whose permissions do not include “write resource”, calling an API that requires a different Duo edition, or calling an API or API method that is only enabled on request by Duo.
RESOLUTION: Ensure that you are using an ikey for the correct application type when signing API calls, and that the application has all the requisite permissions enabled in the Admin Panel. Contact Duo Support to enable a specific API or API method.

Our Administrator has amended on DUO side permissions
“Duo have enabled the Admin API it was disabled. This should work just fine now”

Still same response;

status_code: 403
reason: Forbidden
response header:
{‘Date’: ‘Thu, 01 Jul 2021 09:10:23 GMT’, ‘Content-Length’: ‘120’, ‘Content-Type’: ‘application/json’, ‘Connection’: ‘keep-alive’, ‘Server’: ‘Duo/1.0’}
response content:
{“code”: 40301, “message”: “Access forbidden”, “message_detail”: “Wrong integration type for this API.”, “stat”: “FAIL”}
delay: 0:00:00.144788
[root@fortisiemcoll3 tpm]#

Can anyone help please
thanks

regards Len

Amy2 · ‎07-01-2021

Hi @Len, can you share the call that you’re putting in when you get this response? If you addressed enabling the Admin API, I would look at the other two issues mentioned in that solution: Are you using an Auth API key with Admin API endpoints? Or do you have the proper write resource permissions granted?

The “wrong integration type for this API” message makes me think that it’s the former, an issue with the ikey you’re using. But I could be wrong! My API knowledge is extremely limited.

len.holloway · ‎07-01-2021

Amy,

Thanks for your reply, I have a TAC case with Fortinet for Fortisiem and also liaising with Administartor our end who looks after DUO.

We ahve an API with integration Key and secure password, and should be right.When running cred check pr python script, Fortinet asked me to use get the failure messages above.Lee on our side has checked permissions and Ive also asked Lee to check this link Knowledge Base | Duo Security
and Knowledge Base | Duo Security

So checking permissions again, Lee has said Admin Api now enabled.
Not used this forum before not sure what you mean by share

regards Len

Amy2 · ‎07-02-2021

Thanks for updating us with that info, Len! By share, I meant could you reply here and post the API request you’re sending? It’s hard to tell what’s going on to cause this error without seeing the request you put in.

len.holloway · ‎07-05-2021

Amy,

From Fortisiem docs for DUO;
https://docs.fortinet.com/document/fortisiem/5.4.0/external-systems-configuration-guide/842801/cisco-duo#Configur

Configuring Cisco Duo

Follow these steps to configure Cisco Duo to send logs to FortiSIEM.

Contact Cisco Duo support to enable the Admin API.
Get a credential for Cisco Duo: open the Cisco Duo dashboard and go to Application > Admin API .
Select the Integration key , Secret key , and API hostname options.

Got details
add details credentials in fortisiem
Use these Access Method Definition settings to allow FortiSIEM to access Cisco Duo logs.

Setting	Value
Name	Enter a name for the credential.
Device Type	Cisco Duo Security
Access Protocol	Cisco Duo Admin REST API
Pull Interval (minutes)	2
Integration Key	Enter the integration key you obtained from Cisco Duo.
Secret Key	Enter the secret key you obtained from Cisco Duo.
Description	Enter an optional description for the credential.

add association and test connection and thatwhen we get failures

Could you test the authentication ?

upload the ciscoDUOauthTest_v1.0.py file
modify skey, ikey values on line 9, 10 with your secret key and your integration key
transfer it on the super and the collector via scp
run the script on both CLI as root with command:

cd /dir_where_you_put_script

python ciscoDUOauthTest_v1.0.py

root@Fortisiemnb-p tpm]# python ciscoDUOauthTest_v1.0.py
request headers:
{‘Date’: ‘Fri, 25 Jun 2021 14:58:53 -0000’, ‘Content-Type’: ‘application/x-www-form-urlencoded’, ‘Authorization’: ‘Basic RElDNVU5VUJFQVhFOFVLQjkzQUQ6NTgwMjE3M■■■■■■■■■■■■■■■■■■■■TFhOTdlYjRkZTdhYjdlNGVhYg==’}
status_code: 403
reason: Forbidden
response header:
{‘Date’: ‘Fri, 25 Jun 2021 14:58:53 GMT’, ‘Content-Length’: ‘120’, ‘Content-Type’: ‘application/json’, ‘Connection’: ‘keep-alive’, ‘Server’: ‘Duo/1.0’}
response content:
{“code”: 40301, “message”: “Access forbidden”, “message_detail”: “Wrong integration type for this API.”, “stat”: “FAIL”}
delay: 0:00:00.112511
[root@Fortisiemnb-p tpm]#

Get connectivity test to api but not auth

Thanks Len

DuoKristina · ‎07-07-2021

@Len, can you paste the contents of the ciscoDUOauthTest_v1.0.py script, removing your ikey, skey, and API host information? If we don’t see the contents of the script we have no way of knowing what API call you’re trying to make with the script.

Duo, not DUO.

len.holloway · ‎07-08-2021

Kristina,

Getting info from Fortinet.

thanks Len