Developer

 View Only
last person joined: yesterday 

Back to discussions
Expand all | Collapse all

become enable function in awx

This thread has been viewed 58 times

  • 1.  become enable function in awx

    Posted Jan 03, 2021 11:00 PM

    Hi i have been using ansible for month.  

    i am running a show run in a switch in production who as a radius authentication.

    aaa authentication num-attempts 5
    aaa authentication lockout-delay 300
    aaa authentication telnet login radius local
    aaa authentication telnet enable radius local
    aaa authentication web login radius local
    aaa authentication web enable radius local
    aaa authentication ssh login radius local
    aaa authentication ssh enable radius local

    but when i run the play book 

    this error shows 

    error

    it seems like it can enter only the (> mode) not the ( # mode )

    how can i use the become enable function?



    ------------------------------
    james jordan caracas
    ------------------------------



  • 2.  RE: become enable function in awx

    EMPLOYEE
    Posted Jan 04, 2021 08:30 AM
    I would skip the enable process all together. If you are doing radius auth on ArubaOS Switch, like it seems in your case, add the command 'aaa authentication login privilege-mode' to your configuration and get admins into enable mode immediately after login.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 3.  RE: become enable function in awx

    Posted Feb 15, 2021 02:59 AM
    Hi Herman, 

    Thanks for the reply.

    I tried enabling 'aaa authentication login privilege-mode'. but when i tried to login my account is shows that  my account is invalid. i have read some manual saying that i need to edit the service-type on my radius server. 

    aaa authentication login privilege-mode

    When enabled, the switch reads the Service-Type field in the client authentication received from a RADIUS server. The following table describes the applicableService-Type values and corresponding client access levels the switch allows upon authentication by the server.

    Service-type value

    Service-type Value Client access level

    Administrative-user

    		 6 manager
    NAS-prompt-user 7 operator

    Any other type

    		 Any value except 6 or 7 Access Denied


    I dont know where to get this data. is this something to do with the RADIUS Server Authentication with VSA

    Thank you.

    ------------------------------
    james jordan caracas
    ------------------------------

    Original Message


  • 4.  RE: become enable function in awx

    EMPLOYEE
    Posted Feb 15, 2021 06:47 AM
    In ClearPass it looks like:

    For a different RADIUS server, the attribute you need to return is the Service-Type attribute with a numeric value of 6 (which represents Admin-User).


    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 5.  RE: become enable function in awx

    Posted Feb 18, 2021 12:58 AM
    Thank s for the reply again. do you know where can i get the VSAS  dictionary file for the Arubaos switches?

    ------------------------------
    james jordan caracas
    ------------------------------

    Original Message


  • 6.  RE: become enable function in awx
    Best Answer

    EMPLOYEE
    Posted Feb 18, 2021 05:20 AM
    Service-Type is an IETF standard attribute. As far as I know, RADIUS Dictionaries come with RADIUS servers and I have not really seen a standardized way to share those across products, and for the IETF Attributes, these are by default in most RADIUS products.

    What is the RADIUS server you are using?
    Which attributes are you looking for specifically?

    This is a partial export of the IETF dictionary from ClearPass, on the IETF:Service-Type Attribute (6):
            <Attribute profile="in out" type="Unsigned32" name="Service-Type" id="6">
          <ValidValues>
            <ValidValue enumOrdinal="1" value="Login-User"/>
            <ValidValue enumOrdinal="2" value="Framed-User"/>
            <ValidValue enumOrdinal="3" value="Callback-Login-User"/>
            <ValidValue enumOrdinal="4" value="Callback-Framed-User"/>
            <ValidValue enumOrdinal="5" value="Outbound-User"/>
            <ValidValue enumOrdinal="6" value="Administrative-User"/>
            <ValidValue enumOrdinal="7" value="NAS-Prompt-User"/>
            <ValidValue enumOrdinal="8" value="Authenticate-Only"/>
            <ValidValue enumOrdinal="9" value="Callback-NAS-Prompt"/>
            <ValidValue enumOrdinal="10" value="Call-Check"/>
            <ValidValue enumOrdinal="11" value="Callback-Administrative"/>
            <ValidValue enumOrdinal="12" value="Voice"/>
            <ValidValue enumOrdinal="103809026" value="Annex-Framed-Tunnel"/>
            <ValidValue enumOrdinal="14" value="Modem-Relay"/>
            <ValidValue enumOrdinal="13" value="Fax"/>
            <ValidValue enumOrdinal="16" value="IAPP-AP-Check"/>
            <ValidValue enumOrdinal="17" value="Authorize-Only"/>
            <ValidValue enumOrdinal="18" value="Framed-Management"/>
            <ValidValue enumOrdinal="103809025" value="Annex-Authorize-Only"/>
            <ValidValue enumOrdinal="25" value="EAPoUDP"/>
            <ValidValue enumOrdinal="15" value="IAPP-Register"/>
          </ValidValues>
        </Attribute>​

    If your RADIUS server does not have these attributes or values, you can use this information to add the attribute.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 7.  RE: become enable function in awx

    Posted Feb 18, 2021 09:21 AM
    That's a big Help Herman, thank you. im using clearbox for radius server. i will look in to it if there are these IETF Attributes

    ------------------------------
    james jordan caracas
    ------------------------------

    Original Message


  • 8.  RE: become enable function in awx

    Posted Oct 29, 2021 12:22 PM
    There is no other way to escalate privileges from AWX or ansible?
    The problem comes when you have a high number of switches and you have to configure the privilege-mode command manually


    Original Message


  • 9.  RE: become enable function in awx

    Posted Jan 04, 2021 01:24 PM
    Hello!

    Ansible uses what ever user is defined in the credentials to login. If that user doesn't have manager privileges than you'll first enter the prompt which is operator mode. If the user you login with does have manager permissions than prepending the command "enable" to the list of commands should work, unless it requests another password to be inputted.

    ------------------------------
    Tiffany Chiapuzio-Wong
    ------------------------------

    Original Message


  • 10.  RE: become enable function in awx

    Posted Feb 15, 2021 03:05 AM
    Hi Tiffany,

    Thank you for the reply.

    yes the user has a manager permission when SSH with the switch i use thesame account for enable. im using external radius to be authenticated. do you have any idea where can i get the Service-Type values dictionary of aruba so i can upload it to my radius server.

    Thank you.

    ------------------------------
    james jordan caracas
    ------------------------------

    Original Message


  • 11.  RE: become enable function in awx

    Posted Sep 19, 2022 01:03 PM

    I see this is a relatively old thread, but wanted to provide a more thorough response to the question regarding AWX specifically.

    In AWX privilege escalation is handled extremely easily through the credential itself. If using the appropriate credential type, you will have the option to add a privilege escalation method, username, and password. For network switches the method would be enable, and depending on what you are using for your escalated privilege authentication you may or may not have a username (for example we use TACACS for the enable password, so we just have to enter the privilege escalation method and password). Hit save. Run the job. AWX does its magic.

    Cheers.


    Original Message