That seems a hard combination of requirements, especially that the user used for the config backup cannot become a manager, as access to the configuration requires manager privileges. And you can schedule a backup over tftp, unattended, but sftp requires a password.
I found this (external) thread where people discuss how they approach configuration backups for AOS-Switch. In general they use external tooling and/or break on or more of your requirements.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Dec 22, 2023 05:35 PM
From: mark.bossert
Subject: backup config from aos-s 16.10
Good evening,
Currently I'm struggling to implement the backup of running-/startup-config from a pair of 3810M, running AOS-S 16.10.0005 and 16.10.0009.
The backup needs to fulfill the following requirements:
- it needs to happen over an encrypted channel (scp, sftp)
- it needs to happen without human interaction
- if it happens on a pull-basis, the user used for this process must not have the ability to become manager
- login via already user/password combinations must keep working
I tried setting up a job with transfer-schedule but was unable to convince the switch to log into the (linux) sftp-server with its public-key, which I procured via `show crypto host-public-key`.
`copy running-config sftp sftp@10.10.10.10 upload/running-config` just gives me "General error".
I also tried logging into the switch via pubkey authentication from the outside as oper, but couldn't convince the switch to let oper run `show running-config`, even via creating a group "config-reader" that is allowed to run the command and which had oper assigned to.
I'm open to suggestions.