Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3948
Views
2
Helpful
10
Replies

authentication error between Ansible and Nexus 9k

TCPuniverse
Level 1
Level 1

‎11-06-2021 04:25 AM

Hi all;

I posted my question on a community I found for automation, But now I came across this dedicated DevNet automation. I Don't know maybe here is the right place to ask my question, but I'm not going to copy/paste the same stuff here. So I appreciate if anyone take a look at my question posted in https://community.cisco.com/t5/intelligent-automation/issue-in-connecting-between-ansible-and-nexus-9k/m-p/4498933#M7740 address.

1 person had this problem
0 Helpful
10 Replies 10

Claudia de Luna
Spotlight
Spotlight

‎11-06-2021 04:47 AM

Hi @TCPuniverse 

 

Is TACACS configured?

Try enabling feature privilege (see below) and then re-run your playbook.

Please report back if can..I've not run into feature privilege either!

 

Link

Configuring Privilege Level Support for Authorization on TACACS+ Servers

You can configure privilege level support for authorization on TACACS+ servers.

Unlike Cisco IOS devices, which use privilege levels to determine authorization, Cisco NX-OS devices use role-based access control (RBAC). To enable both types of devices to be administered by the same TACACS+ servers, you can map the privilege levels configured on TACACS+ servers to user roles configured on Cisco NX-OS devices.

When a user authenticates with a TACACS+ server, the privilege level is obtained and used to form a local user role name of the format “priv-n,” where n is the privilege level. The user assumes the permissions of this local role. Sixteen privilege levels, which map directly to corresponding user roles, are available. The following table shows the user role permissions that correspond to each privilege level.

 Privilege Level User Role Permissions
15network-admin permissions
13 - 1

  • Standalone role permissions, if the feature privilege command is disabled.

  • Same permissions as privilege level 0 with cumulative privileges for roles, if the feature privilege command is enabled.

0Permission to execute show commands and exec commands (such as ping , trace , and ssh ).
ClaudiadeLuna_1-1636199032395.gif

 

Important
Only the network administrator can escalate privileges to the root. As per the new security measures, a network operator (priv-1 user) is not allowed to collect show tech. Therefore, the enable command does not help to escalate the privileges.
ClaudiadeLuna_2-1636199032395.gif

 

Note

  • When the feature privilege command is enabled, privilege roles inherit the permissions of lower level privilege roles.

  • You must also configure the privilege level for the Cisco NX-OS device on the Cisco Secure Access Control Server (ACS).

SUMMARY STEPS

  1. configure terminal
  2. [no] feature privilege
0 Helpful

TCPuniverse
Level 1
Level 1
In response to Claudia de Luna

‎11-06-2021 05:04 AM - edited ‎11-06-2021 05:05 AM

Hello;

I ran these command:

switch2(config)# feature privilege
switch2(config)# enable secret 0 pass123! priv-lvl 15
switch2(config)# username sekom role priv-15
----
switch2(config)# sh privilege
User name: sekom
Current privilege level: 15
Feature privilege: Enabled

And ran playbook, first without privilege scalation:

[root@tcentos ansible-dir]# ansible-playbook tp-collecting-info-nxos.yml --limit nxos -u sekom -k

result:

fatal: [10.106.6.216]: FAILED! => {"changed": false, "msg": "failed to elevate privilege to enable mode, at prompt [b'\\rswitch2# '] with error: unable to check privilege level [User name: sekom\nCurrent privilege level: 15\nFeature privilege: Enabled]"}

And with privilege scalation:

[root@tcentos ansible-dir]# ansible-playbook tp-collecting-info-nxos.yml --limit nxos -u sekom -Kk

with the same result as above. I have not enabled TACACS:

switch2(config)# sh run | inc feature
feature privilege
feature telnet
feature nxapi
feature vrrp
feature interface-vlan
feature hsrp
feature lacp
feature vpc
feature lldp

 

Thanks.

0 Helpful

Claudia de Luna
Spotlight
Spotlight
In response to Claudia de Luna

‎11-06-2021 05:19 AM - edited ‎11-06-2021 05:31 AM

Here is what I normally use in my playbooks;

 

 

- hosts: some group
  connection: local
  become: yes
  gather_facts: False

you may gave to use become: yes for some of the show commands or actions you want to execute in your playbook.

If you are concerned about that try your playbook against a simulator or one of the DevNet Sandbox Nexus Devices.

0 Helpful

TCPuniverse
Level 1
Level 1
In response to Claudia de Luna

‎11-06-2021 07:29 AM

I changed "become" to "yes" but got the same error. Actually when I enter credentials (both SSH pass and then enable pass), I got "Failed to authenticate: Authentication failed." but when credentials were correct, I got the "failed to elevate privilege to enable mode". I think there should be something about NXOS. My NXOS version on C93128TX is "7.0(3)I1(1a)".

 

[root@tcentos ansible-dir]# ansible-playbook tp-collecting-info-nxos.yml --limit nxos -u sekom -Kk
SSH password:
BECOME password[defaults to SSH password]:

PLAY [print nxos facts] ************************************************************************************************************

TASK [gathering facts] *************************************************************************************************************
fatal: [10.106.6.216]: FAILED! => {"changed": false, "msg": "failed to elevate privilege to enable mode, at prompt [b'\\rswitch2# '] with error: unable to check privilege level [User name: sekom\nCurrent privilege level: 15\nFeature privilege: Enabled]"}
fatal: [10.106.6.219]: FAILED! => {"changed": false, "msg": "Failed to authenticate: Authentication failed."}

PLAY RECAP *************************************************************************************************************************
10.106.6.216               : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
10.106.6.219               : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
0 Helpful

Sergey Lisitsin
VIP Alumni
VIP Alumni
In response to TCPuniverse

‎11-08-2021 01:54 AM

Hello,

 

What connection mode do you use in your playbook?

 

0 Helpful

TCPuniverse
Level 1
Level 1
In response to Sergey Lisitsin

‎11-08-2021 04:18 AM

I'm using "network_cli" as connection method.

[root@tcentos ansible-dir]# cat group_vars/nxos/vars.yml
---
ansible_connection: ansible.netcommon.network_cli
ansible_network_os: cisco.nxos.nxos
ansible_become: no
ansible_command_timeout: 60
0 Helpful

Sergey Lisitsin
VIP Alumni
VIP Alumni
In response to TCPuniverse

‎11-08-2021 04:39 AM

I would try changing that to "ssh"

 

0 Helpful

TCPuniverse
Level 1
Level 1
In response to Sergey Lisitsin

‎11-13-2021 01:22 PM

It didn't work either.

0 Helpful

TCPuniverse
Level 1
Level 1

‎11-18-2021 02:53 AM

I changed connection method to NX-API and enabled the NX-API on nexus switch with "feature nxapi" command and also tried to run the playbook, both with privilege escalation and without, but again it gave the same error in both cases: 

 

ansible.module_utils.connection.ConnectionError: failed to elevate privilege to enable mode, at prompt [b'\\rswitch2# '] with error: unable to check privilege level [User name: admin
Current privilege level: 15
Feature privilege: Enabled

Is this a bug or I missed something important? because this is not normal that I get same error over and over again even after changing config multiple times?

 

this is my ansible vars:

[root@tcentos ansible-dir]# cat group_vars/nxos/vars.yml
---
ansible_connection: ansible.netcommon.httpapi
ansible_network_os: cisco.nxos.nxos

and my playbook:

[root@tcentos ansible-dir]# cat tp-cbackup-nxos.yml
---
- name: print nxos facts
  hosts: nxos
  gather_facts: no
  tasks:
    - name: backup config
      cisco.nxos.nxos_config:
        backup: yes
      register: nxos_backup
    - name: printing facts
      debug:
        var: nxos_backup

And my Nexus switch info:

Software
 BIOS: version 07.66
NXOS: version 7.0(3)I7(9)

Hardware
cisco Nexus9000 C93128TX Chassis

 

Nexus config:

feature privilege
feature telnet
feature nxapi
feature vpc
!
username admin password 5 $1$XMiZ  role network-admin
username admin role priv-15
enable secret 5 $1$4ef0dfcc9
nxapi http port 80

And finally here are some outputs showing AAA config:

switch2(config)# sh aaa authentication
         default: local
         console: local
---
switch2(config)# sh aaa authorization
         pki-ssh-cert: local
         pki-ssh-pubkey: local
---
switch2(config)# sh privilege
User name: admin
Current privilege level: 15
Feature privilege: Enabled

TCPuniverse
Level 1
Level 1
In response to TCPuniverse

‎11-24-2021 02:35 AM

Hi friends. none of the suggestions given here worked for me. I even upgraded NXOS to version 9.3(8) which is Cisco's recommended version, but got the same error again, again and again! I think there should be logical answer to this error. haven't you ever faced with such error? I think I'm missing very important point here, because with all of things I did, I should see any progress and difference, but I'm at the first step after all. 

Customers Also Viewed These Support Documents