Developer

Crossposting from the github on the off chance others have solved this, since there seems to be very little activity from the developers there.

We're trying to automate config backups nightly for an aruba switch stack (currently one, we're planning to replace existing brocades with these and want a solution in place before we do so).

Model/OS Version:
Product: Aruba JL322
Name: Aruba 2930M-48G-PoE+ Switch
Date: Nov 1 2019 19:24:11
Build: 208
Version: WC.16.10.0002

We have the following in the hosts:

[aruba-sitecode]
HOSTNAME ansible_host=#.#.#.# ansible_network_os=aruba ansible_connection=local

[aruba-blr:vars]
ansible_user=serviceaccount
ansible_pass=password
ansible_command_timeout=80

And this playbook:

• hosts: aruba-sitecode
  gather_facts: false

  vars:
  date: "{{ lookup('pipe', 'date +%Y%m%d') }}"
  filename: "running_config_{{ inventory_hostname }}_{{date}}.txt"

  tasks:

  • name: show run
    arubaoss_config_bkup:
    config_type: CT_RUNNING_CONFIG
    server_type: ST_TFTP
    server_ip: #.#.#.#
    file_name: "{{filename}}"
    use_ssl: True
    user_name: "{{ ansible_user }}"
    password: "{{ ansible_pass }}"

We are able to authenticate against the api with curl/postman and get a cookie. When we attempt to run the playbook we get the following failure:

fatal: [HOSTNAME]: FAILED! => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"body": "<TITLE>400 Bad Request</TITLE>

Bad Request

Access is unauthorized.

",
"changed": false,
"connection": "close",
"content-length": "89",
"content-type": "text/html",
"invocation": {
"module_args": {
"api_version": "v7.0",
"config_type": "CT_RUNNING_CONFIG",
"file_name": "running_config_BLR-ARUBASTACK-01_20200102.txt",
"forced_reboot": null,
"host": "#.#.#.#",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"port": 443,
"provider": {
"api_version": null,
"host": "#.#.#.#",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"port": 443,
"ssh_keyfile": null,
"timeout": 30,
"transport": "aossapi",
"use_proxy": false,
"use_ssl": true,
"username": "serviceaccount",
"validate_certs": false
},
"recovery_mode": null,
"server_ip": "TFTPSERVERIP",
"server_name": null,
"server_passwd": null,
"server_type": "ST_TFTP",
"sftp_port": 22,
"ssh_keyfile": null,
"state": "create",
"timeout": 30,
"use_ssl": true,
"user_name": "serviceaccount",
"username": "serviceaccount",
"validate_certs": false,
"wait_for_apply": true
}
},
"msg": "HTTP Error 400: Bad Request",
"server": "eHTTP v2.0",
"status": 400,
"url": "https://#.#.#.#:443/rest/v7.0/system/config/cfg_backup_files"
}

We have the following questions:

Is there something obviously wrong with the playbook or am I omitting a setting? The only things I've been able to find on the airheads community are either people complaining about a lack of depth for the api and ansible documentation.

Do we need to specify an api version? If I specify nothing I receive:
None is not valid api version. using aossapi v6.0 instead
if I specify 6.0(or 6, or 7.0) I receive:
6.0 is not valid api version. using aossapi v6.0 instead
And the output has a v7.0 uri.

Are we able to specify an SSL port? We would like the web interface port configured 8443 but as far as I can tell there isn't a way to feed it a port.

Last, is there a better way to get a running config locally to our ansible system? Its much easier on our arista, brocade, and cisco devices as we can just run show run and drop the output to file.

Hi @jheman!

Looking at your sample inventory, it appears you're setting the ansible_network_os to be aruba when it should be arubaoss , you can see an example inventory for an AOS-Switch device here.  That is most likely the culprit for your 400 error.

In regards to your questions:

• Do we need to specify an api version? 
  • No you do not need to specify an API version, our modules will get the latest supported API version for you.
• Are we able to specify an SSL port? 
  • At this time our modules use port 443 and there is no option to pass in a specific port. If you wish to have this functionality as an enhancement please submit an enhancement issue on our Github! 
• Last, is there a better way to get a running config locally to our ansible system?
  • Using the arubaoss_config_bkup module is the recommended way to retrieve the running configuration, you can copy the config to an HTTPS server or an TFTP server. If you wish to use SSH to execute a 'show run' CLI command and save it to a file, you can also use our AOS-Switch SSH CLI module provided on our Ansible Switching Workflows Github.

We're constantly looking to improve our modules and make them better! Please feel free to submit any issues or enhancement requests on our Github!

Let me know if changing the network OS resolves your issue or not!

Ooooh good catch. I neglected to change that when I moved from trying to leverage the aruba_command module to this one.

After changing the os to arubaoss the behavior remains unchanged. I receive the same error output from the playbook:

"body": "<HTML><TITLE>400 Bad Request</TITLE><H1>Bad Request</H1>Access is unauthorized.<P></HTML>",

I have aaa authorization rest-uri none, which looks like it should permit unauthorized use of the api. I can set it to aaa authorization rest-uri radius, but will need to specify the uri values in our windows nps server. Is there a way to validate what the vendor ID is for ArubaOS 16.10? The API guide includes what the vendor specific attributes are, but not the vendor ID and windows requires that. this thread specifies the command:

show aaa radius-attributes | include Aruba,Value

but that is not valid on this switch/OS version. If I change it to aaa authorization rest-uri radius without that  populated the output from the playbook changes to

"body": "{\"message\":\"Authentication failed.\"}", and when I run the curl command suggested in the API documentation I likewise receive authentication failed.

Hi jheman,

The error coming from wrong settings for API authorization ?

We've verified this isn't an Ansible issue but more an environement authentication issue that the user will work on resolving with the support team: https://github.com/aruba/aruba-ansible-modules/issues/76

Yes, apologies. The website appeared down this morning.

Thanks for your help, I'm currently working with someone in HPE support to diagnose.