Wired Intelligent Edge

Hi,

We're currently deploying Aruba 2930F switches in our access network in replacement of our old Ciscos.

We have an automated procedure to grab configuration off all network devices, compare them withj yesterday's versions and send the diffs to relevant people. This is done over SSH with public-key authentication to avoid using passwords.

Problem is, ArubaOS doesn't support public-key authentication when AAA is configured for TACACS, which we need to be able to login.

Anybody here doing something similar and wanting to share? I know we can do this with Airwave, but we're not sure we're going to use that platform at the moment (being quite new to the Aruba series of products).

Lars

---

@ljorg wrote:

Hi,

 

We're currently deploying Aruba 2930F switches in our access network in replacement of our old Ciscos.

 

We have an automated procedure to grab configuration off all network devices, compare them withj yesterday's versions and send the diffs to relevant people. This is done over SSH with public-key authentication to avoid using passwords.

 

Problem is, ArubaOS doesn't support public-key authentication when AAA is configured for TACACS, which we need to be able to login.,

 

Anybody here doing something similar and wanting to share? I know we can do this with Airwave, but we're not sure we're going to use that platform at the moment (being quite new to the Aruba series of products).

 

 

Lars

---

About public-key and AAA, what firmware do you using ? there is some change with last 16.08 about this

Do you have look to use API (and not SSH ?)

---

@alagoutte wrote:

About public-key and AAA, what firmware do you using ? there is some change with last 16.08 about this

 

Do you have look to use API (and not SSH

---

We're on 16.08. Nothing's changed.

Right now I have a workaround using sshpass on the Linux side (the config collector). Not too pretty, but it works and I have authenticated and encrypted transfers of config files.

Haven't looked at the APIs. Is there a manual for those?

Lars

---

@ljorg wrote:

---

@alagoutte wrote:

About public-key and AAA, what firmware do you using ? there is some change with last 16.08 about this

 

Do you have look to use API (and not SSH

---

We're on 16.08. Nothing's changed.

 

Right now I have a workaround using sshpass on the Linux side (the config collector). Not too pretty, but it works and I have authenticated and encrypted transfers of config files.

 

Haven't looked at the APIs. Is there a manual for those?

 

 

Lars

---

there is a API guide on HPE support website..

The REST API Guide for 16.08 is available in PDF and HTML formats on the Networking Information Library. 

Aruba has a long way to go to catch up on this front. It feels like they're really trying to give us a modern toolset, and I appriciate that. However, it isn't here yet; or, if it is, the documentation isn't. The rest api is a great idea that just falls short in practice and the documentation is terrible. 

Switches don't support ssh command execution, so simple one-time paramiko commands won't work. You have to spawn a shell. When you do spawn a shell, the vt100 control characters will make expect scripting a nightmare. local-terminal settings will get you around that but you have the added overhead of setting that and hoping to get it set back before a disconnect or error. The API is far from intuitive and the documentation is lacking. eg. you will find out that ../rest/v3/cli doesn't support copy commands only after you try it, and that ../rest/v3/file-transfer doesn't support tftp only after it tells you that tftp://... isn't a valid url and you spend some time with google. It uses options like "FTT_CONFIG" that we assume is startup-config but could be running-config, "FTA_UPLOAD" which I will assume is from the perspective of the switch so it's uploading to the backup server. If your wrong about that last one and the file exists on the server, you just restored your config instead of backing it up. I'm sure your boss will understand.

Someone at Aruba took the time to build some Ansible modules, and I appriciate their work. However, they're built using the rest api, so they have the same limitations, and again with the documentation. One of the modules is name arubaoss_config_bkup, but it is a back/restore module. Again, hope your boss is understanding. The documentation for the "state" option for this one is...

state:
    description:
        - Adding or reading data
    default: create
    required: false

 What is Adding? What is Reading? And which is "create?" And what is the other option? I tried "destroy." Not it. Let's take a guess that adding is putting data somewhere. Is it putting the config data on the backup server or a backup config on the switch; and visa versa?

I'm sorry if I sound bitter, but I used to be a full Cisco shop with a massive custom codebase that served me flawlessly for years. Now I'm here.

For ansible, it will better to ask directly on Ansible Aruba Switch GitHub

for API, there is multiple way for make this

for example, i actually use AnyCLI API and generate show run output and save on file

Thank you for a solution. I was able to get 'sh run' to work with ../rest/v3/cli while I was messing with it, and I concidered just passing that string to the tftp server. Again, feels a little dirty, but it would work.

When I started seeing things about "anyCli" I got excited, because that makes it sound like we can run "any" cli command. What I'm getting, just searching for information about it, suggests that the route ../rest/v3/cli is what we're calling anyCli. If so, it is not "any" cli command. eg. copy commands aren't allowed. Am I wrong, and is there a route that will allow any cli command?

Reviving an old thread :-)

For what it's worth, I did solve the original problem I posted. Not being able to have ssh keys on the switch if you are also running TACACS does make things ugly. I created a user in TACACS with a crazy password and then use sshpass on a Linux server to scp the config out of the switch:

sshpass -f password.cfg scp username@switch-name:cfg/running-config localfile

Password is stored in password.cfg. This doesn't log into the switch, just scp's the running config to a local file on the Linux server (which is what I wanted).

I could probably do some privilege level thing to make sure that user only can do scp or something like it.

At least I was able to do a scripted nightly backup of all our Aruba switches.

Ok, first, thank you. A lot. I feel like a dumb* because I've done this for years and had no idea that we could just scp directly. Didn't know that it could be done with Cisco either. This is worth changing my backup strategy for.

Still not happy with the state of automation for these things, but this has made my day.

I'm very happy to have helped somebody else solve a problem!

I know this is an Aruba forum, but chances are you have a mixed environment. SCP backup on Ciscos is a lot prettier, because they support key-based authentication.

Put the public key of the user doing the ssh on the cisco device like this:

ip ssh pubkey-chain
  username backup-user
    key-string 
       AAAAB3NzaC1yc2EAA [...]

The switch will automatically hash the key into a shorter string so it doesn't look so ugly in the config afterwards.

With the key in place, you can simply do this:

scp backup-user@switch:running-config localfile

Lars

---

@acecase wrote:

Thank you for a solution. I was able to get 'sh run' to work with ../rest/v3/cli while I was messing with it, and I concidered just passing that string to the tftp server. Again, feels a little dirty, but it would work.

 

When I started seeing things about "anyCli" I got excited, because that makes it sound like we can run "any" cli command. What I'm getting, just searching for information about it, suggests that the route ../rest/v3/cli is what we're calling anyCli. If so, it is not "any" cli command. eg. copy commands aren't allowed. Am I wrong, and is there a route that will allow any cli command?

---

from a doc (and on PowerArubaSW) about AnyCLI

        All configuration and execution commands in non-interactive mode are supported.
        crypto, copy, process-tracking, recopy, redo, repeat, session, end, print, terminal,
        logout, menu, page, restore, update, upgrade-software, return, setup, screen-length,
        vlan range and help commands are not supported.
        Testmode commands are not supported.
        All show commands are supported except show tech and show history

There is AnyBatch also...