Here is example of variables for a switch. You can add your password variable into each switch section and it can have it's own value as per switch.
"SG0XXXXXXX": {
"_sys_hostname": "sw-edge1",
"_sys_lan_mac": "xx:xx:xx:xx:xx:xx",
"_sys_serial": "SG0XXXXXXX",
"mgmt_vlan" : "3",
"mgmt_ip" : "10.1.3.x/24",
"mgmt_gw" : "10.1.3.1",
"vlan_ap" : "4",
"port_ap" : "1/1/2,1/1/10-1/1/12",
"vlan_ap_trunk_list" : "11-15"
}
}
------------------------------
Gorazd Kikelj
MVP Expert 2023
------------------------------
Original Message:
Sent: Feb 15, 2024 03:08 AM
From: GorazdKikelj
Subject: Passwords in CX Template Groups
Template variables are per Serial Numbers. Each serial number has it's own variable set. You can have separate password/secret for each switch. It's best practice to have passwords hashed so you won't use plain passwords in templates.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Expert 2023
Original Message:
Sent: Feb 14, 2024 10:56 AM
From: victorcastro
Subject: Passwords in CX Template Groups
We use template groups exclusively for our distribution layer switches, I have a few questions regarding what people do with passwords/keys:
How do you manage multiple passwords in template variable files?
- I know if you name the variable field as password, it'll obfuscate the password in the central UI, but what if you would like to set more than one password in the template?
- Is there a way to define multiple passwords and have them obfuscated in the UI?
- Although, it's really not that secure when downloading the variable file the password is shown in plaintext.
What about TACACS/RADIUS/OSPF keys, how are you passing them in via variables? Do you avoid passing in plain text keys?
How are people managing password changes for devices that are provisioned via Templates?
I haven't had a chance to try this yet, but can you change the local/admin password of a switch via the central API? If so, does the variable file get updated with the changed password?
Any comments or advice is appreciated.