Original Message:
Sent: Jun 27, 2024 02:24 PM
From: dlukinski
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
web-management ssl
aaa server-group radius "SW-Radius" host 10.x.x.x
aaa authentication login privilege-mode
aaa authentication telnet login radius server-group "SW-Radius" local
aaa authentication telnet enable radius server-group "SW-Radius" local
aaa authentication web login radius server-group "SW-Radius" local
aaa authentication web enable radius server-group "SW-Radius" local
aaa authentication ssh login radius server-group "SW-Radius" local
aaa authentication ssh enable radius server-group "SW-Radius" local
aaa authentication rest login radius server-group "SW-Radius" local
aaa authentication rest enable radius server-group "SW-Radius" local
- all the same plus "web-management ssl"
(YA 16.11.0015 firmware - most of our Aruba OS devices run on YA).
I can login with ANSIBLE user to the console and got admin rights via SSH or the WEB
Self-signed certificate (2048 key)
REST Interface - Server Configuration
REST Interface : Enabled
REST Operational Status : Up
REST Session Idle Timeout : 600 seconds
HTTP Access : Enabled
HTTPS Access : Enabled
SSL Port : 443
-----------------------------------------------------------------------------------------------------------------------
ANSIBLE (same account as used for administration, same RADIUS group enablement) produces the same error below
fatal: [sw-LAB-2530-24G]: FAILED! => {"body": "{\"message\":\"Authentication failed.\"}", "changed": false, "connection": "close", "content-type": "application/json", "msg": "HTTP Error 400: Bad Request", "requestid": "", "server": "eHTTP v2.0", "status": 400, "transfer-encoding": "chunked", "url": "http://10.x.x.x:80/rest/v6.0/login-sessions"}
- with the following defined in
vars:
- ansible_httpapi_use_ssl: false
- ansible_httpapi_validate_certs: false
Every task got port: 80
Original Message:
Sent: Jun 26, 2024 07:59 AM
From: alagoutte
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
Hi Dimitri,
i used the following configuration :
hostname SWTESTaruba-central disabletrunk 25-26 trk1 lacplogging 10.X.X.Xlogging facility local6logging severity warninglogging notify running-config-changeradius-server host 10.X.X.X key XXXXXradius-server timeout 2radius-server retransmit 1timesync sntpsntp unicastsntp server priority 1 10.X.X.Xtime timezone 120ip default-gateway 10.X.X.Xsnmp-server community "public" unrestrictedsnmp-server location "XXXX"aaa server-group radius "RADIUS" host 10.X.X.Xaaa authentication login privilege-modeaaa authentication web login peap-mschapv2 server-group "RADIUS" localaaa authentication web enable peap-mschapv2 server-group "RADIUS" localaaa authentication ssh login peap-mschapv2 server-group "RADIUS" localaaa authentication ssh enable peap-mschapv2 server-group "RADIUS" localaaa authentication rest login radius server-group "RADIUS" localaaa authentication rest enable radius server-group "RADIUS" localvlan 1 name "DEFAULT_VLAN" no untagged 1-24 untagged 27-28,Trk1 no ip address exitvlan 23 name "MGMT" untagged 24 tagged Trk1 ip address 10.44.X.X 255.255.255.0 exitvlan 24 name "LAN" untagged 1-22 tagged Trk1 no ip address exitspanning-treespanning-tree Trk1 priority 4no tftp serverno dhcp config-file-updateno dhcp image-file-updateno dhcp tr69-acs-urlpassword manager
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCL: Powershell Module to use Aruba Central
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
Original Message:
Sent: Jun 24, 2024 02:42 PM
From: dlukinski
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
Can you please post your test switch configuration?
Our original intent was utilizing RESTAPI over ANSIBLE for OS CX with SSL certificates (which works), but resort to HTTP with Aruba OS (because RESTAPI on this OS is a problem to begin with, but we did not expect that it would never work at all - cannot even upload PEM certificates to Aruba OS)
It does NOT work for me on Aruba OS switches (any of them) - been a month me asking to provide RESTAPI enabled Aruba OS configuration
- Documentation examples are not helping.
- HTTP 400 Authorization errors no matter what I try
Original Message:
Sent: Jun 24, 2024 10:19 AM
From: alagoutte
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
>So you are saying Aruba OS REST API does not work over HTTP (as documentation claims)
Work for me
>documentation says that self-signed certificates can be used for RESTA API - does this work?
Yes, you can use self signed certificat
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCL: Powershell Module to use Aruba Central
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
Original Message:
Sent: Jun 21, 2024 05:03 PM
From: dlukinski
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
So you are saying Aruba OS REST API does not work over HTTP (as documentation claims)
Speaking of the certificates (best practices?)
- does CX require per-node name PEM certificate
- does 1024-bit certificate (default) work or 2048-bit should replace it instead?
- documentation says that self-signed certificates can be used for RESTA API - does this work?
show web-management
Web Management - Server Configuration
HTTP Access : Enabled
HTTPS Access : Disabled
Idle Timeout : 600 seconds
Management URL : http://h17007.www1.hpe.com/device_help
Support URL : http://www.arubanetworks.com/products/networking/
User Interface : Improved
Original Message:
Sent: Jun 19, 2024 02:33 PM
From: Tiffany.Chiapuzio-Wong
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
Hi @dlukinski! When enabling REST API for AOS-Switch you'll want to ensure a valid certificate is on the switch and you've enabled REST with the following commands and verify the output:
switch(config)# web-management ssl
switch(config)# rest-interface
If you have RADIUS or TACACS you'll want to use these commands as well, I believe Alexis already mentioned:
switch(config)# aaa authentication rest login radius local
switch(config)# aaa authentication rest enable radius local
Verify the output with "show web-management";
Aruba-2930M-24G-PoEP# show web-management
Web Management - Server Configuration
HTTP Access : Enabled
HTTPS Access : Enabled
SSL Port : 443
Idle Timeout : 600 seconds
Management URL : http://h17007.www1.hpe.com/device_help
Support URL : https://www.hpe.com/us/en/networking.html
User Interface : Improved
Listen Mode : both
------------------------------
Ti Chiapuzio-Wong (they/them)
HPE Aruba Networking
Original Message:
Sent: Jun 19, 2024 01:33 PM
From: dlukinski
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
Hi again, thank you for the feedback. The first task fails with the same error (meaning that ansible user does not have REST access). I initially asked how to Configure Aruba OS switches (where the problem seems to be): fatal: [switch-NAME]: FAILED! => {"body": "{\"message\":\"Authentication failed.\"}", "changed": false, "connection": "close", "content-type": "application/json", "msg": "HTTP Error 400: Bad Request", "requestid": "", "server": "eHTTP v2.0", "status": 400, "transfer-encoding": "chunked", "url": "http://10.X.X.X:80/rest/v6.0/login-sessions"}
Original Message:
Sent: Jun 19, 2024 10:39 AM
From: alagoutte
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
do you have try to disable HTTPS ?
i don't have
aaa authorization rest-uri radius
On my configuration
and i try with the follwing playbook
0
- hosts: all collections: - arubanetworks.aos_switch vars_prompt: - name: ansible_user prompt: What is your username? private: no - name: ansible_password prompt: What is your password? gather_facts: False tasks: - name: Create VLAN 200 arubaoss_vlan: vlan_id: 300 name: "vlan300" config: "create" command: config_vlan use_ssl: false port: 80
and the following inventory file
all: hosts: aosswitch_1: ansible_host: 10.X.X.X ansible_connection: local ansible_network_os: arubanetworks.aos_switch.arubaoss
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCL: Powershell Module to use Aruba Central
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
Original Message:
Sent: Jun 18, 2024 05:12 PM
From: dlukinski
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
We'e got no Swagger and Curl is not exactly always working (because Ansible does not either)
I no longer know what does not work.
- Switch Configuration (web interface works for ansible login, but shows authentication errors when RESTAPI connection is attempted; firmware version 16.11.0015/18; self-signed 1024 or 2048 certificate; REST interface enabled for HTTP only)
aaa server-group radius "MY-Radius"
aaa authorization rest-uri radius (per Aruba manual)
aaa authentication login privilege-mode (per Aruba manual)
aaa authentication rest login radius local (OR radius server-group "MY-Radius" local) - does not work either way
aaa authentication rest enable radius local ( OR radius server-group "MY-Radius" local) - does not work either way
2. ANSIBLE configurations:
2.1 Inventory file
ansible_host: 10.xx.xx.xxx
ansible_connection: local
ansible_network_os: arubanetworks.aos_switch.arubaoss
2.2 Playbook
vars:
- ansible_connection: local
- ansible_network_os: arubanetworks.aos_switch.arubaoss
- ansible_command_timeout: 300
- ansible_httpapi_use_ssl: true (OR false) - does not work either way
- ansible_httpapi_validate_certs: false (OR true) - does not work either way
tasks:
- name: Include Credentials
include _vars:
file: /path_to_file.yml (vault, works with non-REST playbooks)
- name: Create VLAN 300
arubaoss_vlan:
vlan_id: 100
name: "vlan100"
config: "create"
command: config_vlan
Original Message:
Sent: Jun 18, 2024 07:33 AM
From: alagoutte
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
Yes, it work for me
what your configuration ? on the switch ? it is work with curl or PowerArubaSW module ?
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCL: Powershell Module to use Aruba Central
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
Original Message:
Sent: Jun 17, 2024 03:19 PM
From: dlukinski
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
This brings me back to the original question: Does Aruba OS support RESTAPI for real and if so, what would be the correct configuration to confirm that?
Original Message:
Sent: Jun 13, 2024 03:04 PM
From: alagoutte
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
Like @herman say, try with
You can also check the web-management (show web-managment)
and also use local and not network_cli
ansible_connection: local
ansible_network_os: arubanetworks.aos_switch.arubaoss
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCL: Powershell Module to use Aruba Central
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
Original Message:
Sent: Jun 11, 2024 05:32 PM
From: dlukinski
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
Tried 16.11.0018 and this is the error message I am getting:
FAILED! => {"body": "<HTML><HEAD><TITLE>307 Temporary Redirect</TITLE></HEAD><BODY bgcolor=\"white\"><CENTER><H1>307 Temporary Redirect</H1></CENTER></BODY></HTML>", "changed": false, "connection": "close", "content-length": "140", "content-type": "text/html", "location": "https://10.xx.xx.xx/rest/v6.0/login-sessions", "msg": "HTTP Error 307: Temporary Redirect", "status": 307, "url": "http://10.xx.xx.xx:80/rest/v6.0/login-sessions"}
-----------------------------
How were your tests?
Does RESTAPI work on Aruba OS for real?
What are the correct configurations for it?
Original Message:
Sent: May 30, 2024 02:10 AM
From: alagoutte
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
can you try 16.11.0018 ?
i will try to check today with 2530 and RADIUS
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCL: Powershell Module to use Aruba Central
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
Original Message:
Sent: May 29, 2024 03:43 PM
From: dlukinski
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
Tried on 16.11.0011 and 0015
Original Message:
Sent: May 29, 2024 03:09 PM
From: alagoutte
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
What minor release do you are using for 16.11 ?
Your configuration is already good, there is already this :
aaa authentication rest login radius server-group "SW-Radius" local
aaa authentication rest enable radius server-group "SW-Radius" local
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCL: Powershell Module to use Aruba Central
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
Original Message:
Sent: May 29, 2024 11:08 AM
From: dlukinski
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
We are trying to make it RADIUS (or TACACS? - seen some threads that REST over RADIUS has troubles with Aruba OS)
What is the best practice for Aruba OS 16.11 (16.08+)?
Original Message:
Sent: May 27, 2024 09:38 AM
From: alagoutte
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
Ansible is a local user or remote (RADIUS ?)
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCL: Powershell Module to use Aruba Central
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
Original Message:
Sent: May 27, 2024 09:35 AM
From: dlukinski
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
What I have tried to figure (please look at the original message), is why RESTapi does NOT process logins. Any logins (not just ansible)
- Http
Invalid user name/password on the REST session; the user 'ansible' is trying to login from the Switch WEB GUI
any user that can login to HTTP, cannot login to RESTAPI (the very same ansible user produces HTTP 400 bad request&failed authentication via ansible, but logs in to GUI)
so the question is what am I missing in the Aruba OS 16.11.xxxx switch config?
Original Message:
Sent: May 27, 2024 04:17 AM
From: alagoutte
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
Look good...
what do you have on /home/ansible/secret/credentials-ansible.yml ?
do you have try with curl ?
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCL: Powershell Module to use Aruba Central
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
Original Message:
Sent: May 24, 2024 12:39 PM
From: dlukinski
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
Here is my playbook:
---
- hosts: all
gather_facts: false
collections:
- arubanetworks.aos_switch
vars:
- ansible_connection: network_cli
- ansible_network_os: arubanetworks.aos_switch.arubaoss
- ansible_command_timeout: 300
- ansible_httpapi_use_ssl: false
- ansible_httpapi_validate_certs: false
tasks:
- name: Include Credentials
include_vars:
file: /home/ansible/secret/credentials-ansible.yml
no_log: true
- name: Create VLAN 300
arubaoss_vlan:
vlan_id: 300
name: "vlan300"
config: "create"
command: config_vlan
- name: Update vlan 300 with ipv4 address
arubaoss_vlan:
vlan_id: 300
config: "create"
command: config_vlan_ipaddress
vlan_ip_address: "10.20.30.40"
vlan_ip_mask: "255.255.255.0"
- name: Delete vlan 300 ipv4 address
arubaoss_vlan:
vlan_id: 300
config: "delete"
command: config_vlan_ipaddress
vlan_ip_address: "10.20.30.40"
vlan_ip_mask: "255.255.255.0"
- name: update vlan 300 with dhcp helper address
arubaoss_vlan:
vlan_id: 300
config: "create"
command: config_vlan_dhcpHelperAddress
helper_addresses: "10.10.10.100"
Original Message:
Sent: 5/24/2024 7:53:00 AM
From: alagoutte
Subject: RE: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
Hi,
What your playbook configuration ?
If you try with curl (or PowerArubaSW ;-)), it is working ?
for curl example you can look : https://networkingsupport.hpe.com/downloads/documents/RmlsZTo5OTBmZmUwZS03YjE3LTExZWQtYTcwNS1jMzc4NjBkYWVhMDY%3D
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCL: Powershell Module to use Aruba Central
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
Original Message:
Sent: May 23, 2024 05:41 PM
From: dlukinski
Subject: How to get REST API operational on Aruba OS 16.11 Switches (2530/2930)?
Trying to enable REST api for ANSIBLE logins by following 16.11 OS Guide, but having no success whatsoever:
FAILED! => {"body": "{\"message\":\"Authentication failed.\"}", "changed": false, "connection": "close", "content-type": "application/json", "msg": "HTTP Error 400: Bad Request", "requestid": "", "server": "eHTTP v2.0", "status": 400, "transfer-encoding": "chunked", "url": "http://xx.xx.xx.xx:80/rest/v6.0/login-sessions"}
or
Http
Invalid user name/password on the REST session; the user 'ansible' is trying to login from the Switch WEB GUI
--------------------------------------------------------------------------------------------------------------------------------------------------------
aaa server-group radius "SW-Radius" host xx.xx.xx.xx
aaa accounting exec start-stop radius
aaa accounting system stop-only radius
aaa authentication rest login radius server-group "SW-Radius" local
aaa authentication rest enable radius server-group "SW-Radius" local
-----------------------------------------------------------------------------------------------
rest-interface is enabled for HTTP/80
What is the right configuration for Aruba OS 16.11 and up?