topic Re: authentication error between Ansible and Nexus 9k in Controllers

authentication error between Ansible and Nexus 9k

TCPuniverse — Sat, 06 Nov 2021 11:25:00 GMT

Hi all;

I posted my question on a community I found for automation, But now I came across this dedicated DevNet automation. I Don't know maybe here is the right place to ask my question, but I'm not going to copy/paste the same stuff here. So I appreciate if anyone take a look at my question posted in https://community.cisco.com/t5/intelligent-automation/issue-in-connecting-between-ansible-and-nexus-9k/m-p/4498933#M7740 address.

Re: authentication error between Ansible and Nexus 9k

Claudia de Luna — Sat, 06 Nov 2021 11:47:10 GMT

Hi @TCPuniverse

Is TACACS configured?

Try enabling feature privilege (see below) and then re-run your playbook.

Please report back if can..I've not run into feature privilege either!

Link

Configuring Privilege Level Support for Authorization on TACACS+ Servers

You can configure privilege level support for authorization on TACACS+ servers.

Unlike Cisco IOS devices, which use privilege levels to determine authorization, Cisco NX-OS devices use role-based access control (RBAC). To enable both types of devices to be administered by the same TACACS+ servers, you can map the privilege levels configured on TACACS+ servers to user roles configured on Cisco NX-OS devices.

When a user authenticates with a TACACS+ server, the privilege level is obtained and used to form a local user role name of the format “priv-n,” where n is the privilege level. The user assumes the permissions of this local role. Sixteen privilege levels, which map directly to corresponding user roles, are available. The following table shows the user role permissions that correspond to each privilege level.

Privilege Level User Role Permissions

15	network-admin permissions
13 - 1	Standalone role permissions, if the feature privilege command is disabled. Same permissions as privilege level 0 with cumulative privileges for roles, if the feature privilege command is enabled.
0	Permission to execute show commands and exec commands (such as ping , trace , and ssh ).

Important

Only the network administrator can escalate privileges to the root. As per the new security measures, a network operator (priv-1 user) is not allowed to collect show tech. Therefore, the enable command does not help to escalate the privileges.

Note

When the feature privilege command is enabled, privilege roles inherit the permissions of lower level privilege roles.
You must also configure the privilege level for the Cisco NX-OS device on the Cisco Secure Access Control Server (ACS).

SUMMARY STEPS

configure terminal
[no] feature privilege

Re: authentication error between Ansible and Nexus 9k

TCPuniverse — Sat, 06 Nov 2021 12:05:36 GMT

Hello;

I ran these command:

switch2(config)# feature privilege
switch2(config)# enable secret 0 pass123! priv-lvl 15
switch2(config)# username sekom role priv-15
----
switch2(config)# sh privilege
User name: sekom
Current privilege level: 15
Feature privilege: Enabled

And ran playbook, first without privilege scalation:

[root@tcentos ansible-dir]# ansible-playbook tp-collecting-info-nxos.yml --limit nxos -u sekom -k

result:

fatal: [10.106.6.216]: FAILED! => {"changed": false, "msg": "failed to elevate privilege to enable mode, at prompt [b'\\rswitch2# '] with error: unable to check privilege level [User name: sekom\nCurrent privilege level: 15\nFeature privilege: Enabled]"}

And with privilege scalation:

[root@tcentos ansible-dir]# ansible-playbook tp-collecting-info-nxos.yml --limit nxos -u sekom -Kk

with the same result as above. I have not enabled TACACS:

switch2(config)# sh run | inc feature
feature privilege
feature telnet
feature nxapi
feature vrrp
feature interface-vlan
feature hsrp
feature lacp
feature vpc
feature lldp

Thanks.

Re: authentication error between Ansible and Nexus 9k

Claudia de Luna — Sat, 06 Nov 2021 12:31:47 GMT

Here is what I normally use in my playbooks;

- hosts: some group
  connection: local
  become: yes
  gather_facts: False

you may gave to use become: yes for some of the show commands or actions you want to execute in your playbook.

If you are concerned about that try your playbook against a simulator or one of the DevNet Sandbox Nexus Devices.

Re: authentication error between Ansible and Nexus 9k

TCPuniverse — Sat, 06 Nov 2021 14:29:56 GMT

I changed "become" to "yes" but got the same error. Actually when I enter credentials (both SSH pass and then enable pass), I got "Failed to authenticate: Authentication failed." but when credentials were correct, I got the "failed to elevate privilege to enable mode". I think there should be something about NXOS. My NXOS version on C93128TX is "7.0(3)I1(1a)".

[root@tcentos ansible-dir]# ansible-playbook tp-collecting-info-nxos.yml --limit nxos -u sekom -Kk
SSH password:
BECOME password[defaults to SSH password]:

PLAY [print nxos facts] ************************************************************************************************************

TASK [gathering facts] *************************************************************************************************************
fatal: [10.106.6.216]: FAILED! => {"changed": false, "msg": "failed to elevate privilege to enable mode, at prompt [b'\\rswitch2# '] with error: unable to check privilege level [User name: sekom\nCurrent privilege level: 15\nFeature privilege: Enabled]"}
fatal: [10.106.6.219]: FAILED! => {"changed": false, "msg": "Failed to authenticate: Authentication failed."}

PLAY RECAP *************************************************************************************************************************
10.106.6.216               : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
10.106.6.219               : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Re: authentication error between Ansible and Nexus 9k

Sergey Lisitsin — Mon, 08 Nov 2021 09:54:45 GMT

Hello,

What connection mode do you use in your playbook?

Re: authentication error between Ansible and Nexus 9k

TCPuniverse — Mon, 08 Nov 2021 12:18:03 GMT

I'm using "network_cli" as connection method.

[root@tcentos ansible-dir]# cat group_vars/nxos/vars.yml
---
ansible_connection: ansible.netcommon.network_cli
ansible_network_os: cisco.nxos.nxos
ansible_become: no
ansible_command_timeout: 60

Re: authentication error between Ansible and Nexus 9k

Sergey Lisitsin — Mon, 08 Nov 2021 12:39:34 GMT

I would try changing that to "ssh"

Re: authentication error between Ansible and Nexus 9k

TCPuniverse — Sat, 13 Nov 2021 21:22:16 GMT

It didn't work either.

Re: authentication error between Ansible and Nexus 9k

TCPuniverse — Thu, 18 Nov 2021 10:53:00 GMT

I changed connection method to NX-API and enabled the NX-API on nexus switch with "feature nxapi" command and also tried to run the playbook, both with privilege escalation and without, but again it gave the same error in both cases:

ansible.module_utils.connection.ConnectionError: failed to elevate privilege to enable mode, at prompt [b'\\rswitch2# '] with error: unable to check privilege level [User name: admin
Current privilege level: 15
Feature privilege: Enabled

Is this a bug or I missed something important? because this is not normal that I get same error over and over again even after changing config multiple times?

this is my ansible vars:

[root@tcentos ansible-dir]# cat group_vars/nxos/vars.yml
---
ansible_connection: ansible.netcommon.httpapi
ansible_network_os: cisco.nxos.nxos

and my playbook:

[root@tcentos ansible-dir]# cat tp-cbackup-nxos.yml
---
- name: print nxos facts
  hosts: nxos
  gather_facts: no
  tasks:
    - name: backup config
      cisco.nxos.nxos_config:
        backup: yes
      register: nxos_backup
    - name: printing facts
      debug:
        var: nxos_backup

And my Nexus switch info:

Software
BIOS: version 07.66
NXOS: version 7.0(3)I7(9)

Hardware
cisco Nexus9000 C93128TX Chassis

Nexus config:

feature privilege
feature telnet
feature nxapi
feature vpc
!
username admin password 5 $1$XMiZ  role network-admin
username admin role priv-15
enable secret 5 $1$4ef0dfcc9
nxapi http port 80

And finally here are some outputs showing AAA config:

switch2(config)# sh aaa authentication
         default: local
         console: local
---
switch2(config)# sh aaa authorization
         pki-ssh-cert: local
         pki-ssh-pubkey: local
---
switch2(config)# sh privilege
User name: admin
Current privilege level: 15
Feature privilege: Enabled

Re: authentication error between Ansible and Nexus 9k

TCPuniverse — Wed, 24 Nov 2021 10:35:34 GMT

Hi friends. none of the suggestions given here worked for me. I even upgraded NXOS to version 9.3(8) which is Cisco's recommended version, but got the same error again, again and again! I think there should be logical answer to this error. haven't you ever faced with such error? I think I'm missing very important point here, because with all of things I did, I should see any progress and difference, but I'm at the first step after all.

Re: authentication error between Ansible and Nexus 9k

wcornejo — Tue, 06 May 2025 21:21:34 GMT

I am having problem to run ansible playbook ( gathering facts) using TACACS credential using nexus 9k I have the below message if anybody has any suggestion how to sole ve this problem will be apprecciate

fatal: [pok-kd-mgmt-1b]: FAILED! => {
"changed": false,
"module_stderr": "Failed to authenticate: Authentication failed.",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}

"Failed to authenticate: Authentication failed.