cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
547
Views
0
Helpful
10
Replies
RyanWayno20056
Beginner

NSO ACI Authentication Issue

Hello All,

I've installed the ACI NED for NSO and have added a test device, but I'm running into an issue with authentication. I followed the instructions in the first part of the README (I can post if needed) using an existing auth group. When I try to connect to the device I'm getting the following error back, note that I've redacted the device name here:

 

Admin@ncs(config)# devices device XXXXXXXX connect
result false
info Failed to connect to device XXXXXXXX : connection refused: ned_external_error ACILogin :: Connect error:
Failed to acquire token:
HTTP:400 ->[Bad Request]:[{"totalCount":"1","imdata":[{"error":{"attributes":{"code":"6","text":"Output format was not specified (possible options: .xml|.json)"}}}]}]

 

There's no information in the README that speaks to this or additional required steps related to authentication. Can someone point me in the right direction here on what's wrong?

 

Thank you!

1 ACCEPTED SOLUTION

Accepted Solutions

Are you trying to manage an ACI Multi Site Orchestrator (MSO) instance, or just an ACI APIC cluster? From your initial post I assume you are just trying to manage an APIC cluster, but the README extract you have provided appears to be from the cisco-aci-mso NED, which manages MSO instances rather than APICs. If you want to manage an APIC cluster, try using the cisco-apicdc NED instead.

View solution in original post

10 REPLIES 10
RyanWayno20056
Beginner

INSTRUCTIONS FROM README:

In the CLI configure the device. Enter configuration mode:

admin@ncs# configure
admin@ncs(config)#

Set the required configurables,
############################################
### [ !!! ] for NSO >= 5.X, use major; gets autocompleted in the cli if you press <Tab> after "ned-id"
### [ !!! ] say if NED version 1.3.9 is loaded, set the ned id to "cisco-aci-mso-gen-1.3" as below:
admin@ncs(config)# devices device <device-name> device-type generic ned-id cisco-aci-mso-gen-1.3

### [ !!! ] for NSO < 5.X, no versioning of the ned-id is needed:
admin@ncs(config)# devices device <device-name> device-type generic ned-id cisco-aci-mso

admin@ncs(config)# devices device <device-name> state admin-state unlocked
admin@ncs(config)# devices device <device-name> address <ip-address>
admin@ncs(config)# devices device <device-name> port <port> (SET TO 443)

############################################
Set the authentication username/password:
############################################

I USED AN EXISTING AUTH GROUP WITH VALID CREDENTIALS

admin@ncs(config)# devices authgroups group <group-name> default-map remote-name <remote-name>
admin@ncs(config)# devices authgroups group <group-name> default-map remote-password <remote-password>
admin@ncs(config)# devices device <device-name> authgroup <group-name>

############################################
[IMPORTANT]: set a timeout of a minimum 120-130 seconds because of the current device behavior. 150 recommended
############################################
admin@ncs(config)# devices device <device-name> connect-timeout 150
admin@ncs(config)# devices device <device-name> read-timeout 150
admin@ncs(config)# devices device <device-name> write-timeout 150

############################################
Update ned-settings[IMPORTANT] :
############################################

admin@ncs(config)# devices device <device-name> ned-settings cisco-aci-mso connection api-base-url /api/v1
admin@ncs(config)# devices device <device-name> ned-settings cisco-aci-mso connection ssl accept-any true
admin@ncs(config)# devices device <device-name> ned-settings cisco-aci-mso log-verbose true
admin@ncs(config)# devices device <device-name> ned-settings use-transaction-id false
admin@ncs(config)# commit

One last note here after some additional testing for what it's worth. I confirmed that I am able to successfully connect to the ACI in question using a API post in Postman and get a valid response with a token back, so I'm guessing there's some configuration information lacking in the README file??

 

POST https://apic-ip-address/api/aaaLogin.json

 

{
"aaaUser" : {
"attributes" : {
"name" : "xxx",
"pwd" : "xxxxxx"
}
}
}

Hi,

 

In order to deeply investigate this issue further we would need from you to submit a new ticket and provide us with access to your device.

 

Thank you,

Andrei

Are you trying to manage an ACI Multi Site Orchestrator (MSO) instance, or just an ACI APIC cluster? From your initial post I assume you are just trying to manage an APIC cluster, but the README extract you have provided appears to be from the cisco-aci-mso NED, which manages MSO instances rather than APICs. If you want to manage an APIC cluster, try using the cisco-apicdc NED instead.

View solution in original post

Yeah I am indeed trying to manage some individual clusters, so your response makes sense. It seems then that I may have the wrong NED then. I'm working to investigate that now, I think your solution is likely correct but I'm going to leave this thread open for the moment and will circle back to provide full closure and confirm the solution.

 

Thanks much for the reply.

Thanks again tcragg1 for the redirect here. I was able to obtain the cisco-apicdc NED instead and looking at the readme, it's indeed quite a different process for connecting. I'll give that a go next week but based on what I read I don't anticipate any issue there.

 

I've seen this question go unanswered in other threads so to be clear on the question for anyone who might have the answer:

-Is there any documentation on how to actually USE the NED, not how to set it up and connect but like actual code samples or a guide perhaps?

 

There is a documentation bundle for NSO that you should be able to get through the same channels you used to obtain NSO. The user guide in the bundle covers the basics of how to use the NSO CLI to manage device configurations, and the development guide covers the python and java APIs and how to build an NSO service.

 

Can you be more specific about what kind of use cases you are looking for? Just to directly manage the device configuration through the NSO CLI, implementing services to manage parts of the configuration, or something else?

Yeah I have the documentation bundle that I think you are referring to, this ships with NSO. I am semi-familiar with writing code for NSO and have built various services in it already, however those center around ISO and IOS-XR devices. I'm curious if there is anything specific to ACI and the APICDC NEDs, like code examples or something and how specifically to interact with those devices?

 

I'm sure once I get the NED installed I can see what's available at CLI to get some clues, but I haven't been able to find any module examples specific to this platform in the searching I have done up to this point.

If you are already familiar with NSO but haven't used NSO to manage an ACI fabric before, the simplest way to start probably is to look through the data structure in the NSO CLI. The basic principles around configuration management and services are still going to be the same as what you have done with IOS and IOS-XR devices.

 

I do have a handful of proof of concept NSO ACI services I built some time ago. Below is a sample of the python code from a service I built to manage Attachable Entity Profiles in ACI, if that is helpful:

 

class ServiceCallbacks(Service):

    # The create() callback is invoked inside NCS FASTMAP and
    # must always exist.
    @Service.create
    def cb_create(self, tctx, root, service, proplist):
        self.log.info('Service create(service=', service._path, ')')
        conf = root.devices.device[service.hostname].config
        conf.apic.infraInfra.infraAttEntityP.create(service.aep)
        aep = conf.apic.infraInfra.infraAttEntityP[service.aep]
        if service.descr:
            aep.descr = service.descr
        if service.enable_infrastructure_vlan:
            aep.infraProvAcc.name = 'provacc'
            aep.infraProvAcc.dhcpInfraProvP.create()
            aep.infraProvAcc.dhcpInfraProvP.mode = 'controller'
        for l2 in service.l2_ext_domain:
            domain = f'uni/l2dom-{l2}'
            aep.infraRsDomP.create(domain)
        for l3 in service.l3_ext_domain:
            domain = f'uni/l3dom-{l3}'
            aep.infraRsDomP.create(domain)
        for phy in service.phy_domain:
            domain = f'uni/phys-{phy}'
            aep.infraRsDomP.create(domain)
        for vmm in service.vmm_domain:
            domain = f'uni/vmmp-VMware/dom-{vmm}'
            aep.infraRsDomP.create(domain)

I was able to get connected to a cluster and sync it's configuration successfully. Looking at the NSO CLI I see what's going on here. It looks pretty much like what we do with IOS and IOSXR just using ACI API format instead. I think I have what I need to run with it from here.

 

Thank you, I appreciate your replies to this thread. You've been very helpful.