AAA role ======== This role facilitates the configuration of authentication authorization acccounting (AAA). It supports the configuration of TACACS for OS9. The AAA role requires an SSH connection for connectivity to a Dell EMC Networking device. You can use any of the built-in OS connection variables . Role variables -------------- - Role is abstracted using the *ansible_network_os* variable that can take dellemc.os9.os9 as a value - If *os9_cfg_generate* is set to true, the variable generates the role configuration commands in a file - Any role variable with a corresponding state variable set to absent negates the configuration of that variable - Setting an empty value for any variable negates the corresponding configuration - Variables and values are case-sensitive **os9_aaa keys** | Key | Type | Description | Support | |------------|---------------------------|---------------------------------------------------------|-----------------------| | ``radius_server`` | dictionary | Configures the radius server (see ``radius_server.*``) | os9 | | ``radius_server.key`` | string (required): 0,7,LINE | Configures the authentication key for the radius server | os9 | | ``radius_server.key_string`` | string | Configures the user key string; variable takes the hidden user key string if value is 7; variable takes the unencrypted user key (clear-text) if value is 0; variable supported only if *radius_server.key* is 7 or 0 | os9 | | ``radius_server.retransmit`` | integer | Configures the number of retransmissions | os9 | | ``radius_server.timeout`` | integer | Configures the timeout for retransmissions | os9 | | ``radius_server.deadtime`` | integer | Configures the server dead time | os9 | | ``radius_server.group`` | dictionary | Configures the radius servers group (see ``group.*``) | os9 | | ``group.name`` | string (required) | Configures the group name of the radius servers | os9 | | ``group.host`` | dictionary | Configures the radius server host in the group (see ``host.*``) | os9 | | ``host.ip`` | string | Configures the radius server host address in the group | os9 | | ``host.key`` | string (required): 0,7,LINE | Configures the authentication key | os9 | | ``host.key_string`` | string: 7,0 | Configures the user key string; variable takes the hidden user key string if value is 7; variable takes the unencrypted user key (clear-text) if value is 0; variable supported only if *host.key* is 7 or 0 | os9 | | ``host.retransmit`` | integer | Configures the number of retransmissions | os9 | | ``host.auth_port`` | integer | Configures the authentication port (0 to 65535) | os9 | | ``host.timeout`` | integer | Configures the timeout for retransmissions | os9 | | ``host.state`` | string: present,absent | Removes the host from group of radius server if set to absent | os9 | | ``group.vrf`` | dictionary | Configures the VRF for radius servers in the group (see ``vrf.*``) | os9 | | ``vrf.vrf_name`` | string (required) | Configures the name of VRF for the radius server group | os9 | | ``vrf.source_intf`` | integer | Configures the source interface for outgoing packets from servers in the group | os9 | | ``vrf.state`` | string: present,absent | Removes the VRF from group of radius servers if set to absent | os9 | | ``group.state`` | string: present,absent | Removes the radius server group if set to absent | os9 | | ``radius_server.host`` | dictionary | Configures the radius server host (see ``host.*``) | os9 | | ``host.ip`` | string | Configures the radius server host address | os9 | | ``host.key`` | string (required); 0,7,LINE | Configures the authentication key | os9 | | ``host.key_string`` | string | Configures the user key string; variable takes the hidden user key string if value is 7; variable takes the unencrypted user key (clear-text) if value is 0; variable supported only if *host.key* is 7 or 0 | os9 | | ``host.retransmit`` | integer | Configures the number of retransmissions | os9 | | ``host.auth_port`` | integer | Configures the authentication port (0 to 65535) | os9 | | ``host.timeout`` | integer | Configures timeout for retransmissions | os9 | | ``host.state`` | string: present,absent | Removes the radius server host if set to absent | os9 | | ``auth.key`` | string (required); 0,7,LINE | Configures the authentication key | os9 | | ``tacacs_server`` | dictionary | Configures the tacacs server (see ``tacacs_server.*``)| os9 | | ``tacacs_server.key`` | string (required): 0,7,LINE | Configures the authentication key for tacacs server | os9 | | ``tacacs_server.key_string`` | string | Configures the user key string; variable takes the hidden user key string if value is 7; variable takes the unencrypted user key (clear-text) if value is 0; variable supported only if *tacacs_server.key* is 7 or 0 | os9 | | ``tacacs_server.group`` | dictionary | Configures the group of tacacs servers (see ``group.*``) | os9 | | ``group.name`` | string (required) | Configures the group name of the tacacs servers | os9 | | ``group.host`` | dictionary | Configures the tacacs server host in the group (see ``host.*``) | os9 | | ``host.ip`` | string | Configures the tacacs server host address in the group | os9 | | ``host.key`` | string (required): 0,7,LINE | Configures the authentication key of the tacacs server host | os9 | | ``host.key_string`` | string | Configures the user key string; variable takes the hidden user key string if value is 7; variable takes the unencrypted user key (clear-text) if value is 0; variable supported only *host.key* is 7 or 0 | os9 | | ``host.retransmit`` | integer | Configures the number of retransmissions | os9 | | ``host.auth_port`` | integer | Configures the authentication port (0 to 65535) | os9 | | ``host.timeout`` | integer | Configures timeout for retransmissions | os9 | | ``host.state`` | string: present,absent | Removes the host from group of tacacs server if set to absent | os9 | | ``group.vrf`` | dictionary | Configures VRF for tacacs servers in the group (see ``vrf.*``) | os9 | | ``vrf.vrf_name`` | string (required) | Configures the name of VRF for tacacs server group | os9 | | ``vrf.source_intf`` | integer | Configures source interface for outgoing packets from servers in the group | os9 | | ``vrf.state`` | string: present,absent | Removes the VRF from group of tacacs server if set to absent | os9 | | ``group.state`` | string: present,absent | Removes the tacacs server group if set to absent | os9 | | ``tacacs_server.host`` | dictionary | Configures the tacacs server host (see ``host.*``) | os9 | | ``host.ip`` | string | Configures the tacacs sever host address | os9 | | ``host.key`` | string (required): 0,7,LINE | Configures the authentication key | os9 | | ``host.key_string`` | string | Configures the user key string; variable takes the hidden user key string if value is 7; variable takes the unencrypted user key (clear-text) if value is 0; variable supported only if *host.key* is 7 or 0 | os9 | | ``host.retransmit`` | integer | Configures the number of retransmissions | os9 | | ``host.auth_port`` | integer | Configures the authentication port (0 to 65535) | os9 | | ``host.timeout`` | integer | Configures the timeout for retransmissions | os9 | | ``host.state`` | string: present,absent | Removes the tacacs server host if set to absent | os9 | | ``aaa_accounting`` | dictionary | Configures accounting parameters (see ``aaa_accounting.*``) | os9 | | ``aaa_accounting.commands`` | list | Configures accounting for exec (shell) and config commands (see ``commands.*``) | os9 | | ``commands.enable_level`` | integer | Configures enable level for accounting of commands | os9 | | ``commands.role_name`` | string | Configures user role for accounting of commands; variable is mutually exclusive with ``enable_level`` | os9 | | ``commands.accounting_list_name`` | integer | Configures named accounting list for commands | os9 | | ``commands.no_accounting`` | boolean | Configures no accounting of commands | os9 | | ``commands.record_option`` | string: start-stop,stop-only,wait-start | Configures options to record data | os9 | | ``commands.state`` | string: present,absent | Removes the named accounting list for the commands if set to absent | os9 | | ``aaa_accounting.exec`` | list | Configures accounting for EXEC (shell) commands (see ``exec.*``) | os9 | | ``exec.accounting_list_name`` | string | Configures named accounting list for exec commands | os9 | | ``exec.no_accounting`` | boolean | Configures no accounting of EXEC commands | os9 | | ``exec.record_option`` | string: start-stop,stop-only,wait-start | Configures options to record data | os9 | | ``exec.state`` | string: present,absent | Removes the named accounting list for the exec commands if set to absent | os9 | | ``aaa_accounting.suppress`` | boolean | Suppresses accounting for users with NULL username | os9| | ``aaa_accounting.dot1x`` | string: none,start-stop,stop-only,wait-start | Configures accounting for dot1x events | os9 | | ``aaa_accounting.rest`` | string:none,start-stop,stop-only,wait-start | Configures accounting for rest interface events | os9 | | ``aaa_authorization`` | dictionary | Configures authorization parameters (see ``aaa_authorization.*``) | os9 | | ``aaa_authorization.commands`` | list | Configures authorization for EXEC (shell) and config commands (see ``commands.*``)| os9 | | ``commands.enable_level`` | integer | Configures enable level for authorization of commands | os9 | | ``commands.role_name`` | string | Configures user role for authorization of commands; mutually exclusive with ``enable_level`` | os9 | | ``commands.authorization_list_name`` | string | Configures named authorization list for commands | os9 | | ``commands.authorization_method`` | string: none | Configures no authorization of commands | os9 | | ``commands.use_data`` | string: local,tacacs+ | Configures data used for authorization | os9 | | ``commands.state`` | string: present,absent | Removes the named authorization list for the commands if set to absent | os9 | | ``aaa_authorization.config_commands`` | boolean | Configures authorization for configuration mode commands | os9 | | ``aaa_authorization.role_only`` | boolean | Configures validation of authentication mode for user role | os9 | | ``aaa_authorization.exec`` | list | Configures authorization for EXEC (shell) commands (see ``exec.*``) | os9 | | ``exec.authorization_list_name`` | string | Configures named authorization list for EXEC commands | os9 | | ``exec.authorization_method`` | string: none | Configures no authorization of EXEC commands | os9 | | ``exec.use_data`` | string: local,tacacs+ | Configures data used for authorization | os9 | | ``exec.state`` | string: present,absent | Removes the named authorization list for the EXEC commands if set to absent | os9 | | ``aaa_authorization.network`` | string: none,radius,ias | Configures authorization for network events | os9 | | ``aaa_authentication`` | dictionary | Configures authentication parameters (see ``aaa_authentication.*``) | os9 | | ``aaa_radius`` | dictionary | Configures AAA for radius group of servers (see ``aaa_radius.*``) | os9 | | ``aaa_radius.group`` | string | Configures name of the radius group of servers for AAA | os9 | | ``aaa_radius.auth_method`` | string: pap,mschapv2 | Configures authentication method of radius group of servers for AAA | os9 | | ``aaa_tacacs`` | dictionary | Configures AAA for tacacs group of servers (see ``aaa_tacacs.*``) | os9 | | ``aaa_tacacs.group`` | string | Configures name of the tacacs group of servers for AAA | os9 | | ``aaa_authentication.auth_list`` | list | Configures named authentication list for hosts (see ``host.*``) | os9 | | ``auth_list.name`` | string | Configures named authentication list | os9 | | ``auth_list.login_or_enable`` | string: enable,login | Configures authentication list for login or enable | os9 | | ``auth_list.server`` | string: radius,tacacs+ | Configures AAA to use this list of all server hosts | os9 | | ``auth_list.use_password`` | string: line,local,enable,none | Configures password to use for authentication | os9 | | ``auth_list.state`` | string: present,absent | Removes the named authentication list if set to absent | os9 | | ``aaa_authentication.dot1x`` | string: none,radius,ias | Configures authentication for dot1x events | os9 | | ``line_terminal`` | dictionary | Configures the terminal line (see ``line_terminal.*``) | os9 | | ``line_terminal.`` | dictionary | Configures the primary or virtual terminal line (see ``.*``); value can be console , vty | os9 | | ``.authorization`` | dictionary | Configures authorization parameters of line terminal (see ``authorization.*``) | os9 | | ``authorization.commands`` | list | Configures authorization for EXEC (shell) and config commands (see ``commands.*``) | os9 | | ``commands.enable_level`` | integer | Configures enable level for authorization of commands at line terminal | os9 | | ``commands.role_name`` | string | Configures user role for authorization of commands at line terminal; mutually exclusive with `enable_level` | os9 | | ``commands.authorization_list_name`` | string | Configures named authorization list for commands | os9 | | ``commands.state`` | string: present,absent | Removes the authorization of commands from line terminal if set to absent | os9 | | ``authorization.exec`` | list | Configures authorization for EXEC (shell) commands at line terminal (see ``exec.*``) | os9 | | ``exec.authorization_list_name`` | string | Configures named authorization list for EXEC commands | os9 | | ``exec.state`` | string: present,absent | Removes the authorization of EXEC (shell) from line terminal if set to absent | os9 | | ``.accounting`` | dictionary | Configures accounting parameters of line terminal (see ``accounting.*``) | os9 | | ``accounting.commands`` | list | Configures accounting for EXEC (shell) and config commands (see ``commands.*``) | os9 | | ``commands.enable_level`` | integer | Configures enable level for accounting of commands at line terminal | os9| | ``commands.role_name`` | string | Configures user role for accounting of commands at line terminal; mutually exclusive with ``enable_level`` | os9 | | ``commands.accounting_list_name`` | string | Configures named accounting list for commands | os9 | | ``commands.state`` | string: present,absent | Removes the accounting of commands from line terminal if set to absent | os9| | ``accounting.exec`` | list | Configures accounting for EXEC (shell) commands at line terminal (see ``exec.*``) | os9 | | ``exec.accounting_list_name`` | string | Configures named accounting list for EXEC commands | os9 | | ``exec.state`` | string: present,absent | Removes the accounting of EXEC (shell) from line terminal if set to absent | os9 | | ``.authentication`` | dictionary | Configures authentication parameters of line terminal (see ``authentication.*``) | os9 | | ``authentication.enable`` | string | Configures the authentication list for privilege-level password authentication | os9 | | ``authentication.login`` | string | Configures the authentication list for password checking | os9 | | ``client.ip`` | string | Configures the client ip for the radius server | os9 | | ``client.key`` | string (required): 0,7,LINE | Configures the authentication key for the radius server | os9 | > **NOTE**: Asterisk (*) denotes the default value if none is specified. Connection variables -------------------- Ansible Dell EMC Networking roles require connection information to establish communication with the nodes in your inventory. This information can exist in the Ansible *group_vars* or *host_vars* directories or inventory, or in the playbook itself. | Key | Required | Choices | Description | |-------------|----------|------------|-----------------------------------------------------| | ``ansible_host`` | yes | | Specifies the hostname or address for connecting to the remote device over the specified transport | | ``ansible_port`` | no | | Specifies the port used to build the connection to the remote device; if value is unspecified, the ANSIBLE_REMOTE_PORT option is used; it defaults to 22 | | ``ansible_ssh_user`` | no | | Specifies the username that authenticates the CLI login for the connection to the remote device; if value is unspecified, the ANSIBLE_REMOTE_USER environment variable value is used | | ``ansible_ssh_pass`` | no | | Specifies the password that authenticates the connection to the remote device. | | ``ansible_become`` | no | yes, no\* | Instructs the module to enter privileged mode on the remote device before sending any commands; if value is unspecified, the ANSIBLE_BECOME environment variable value is used, and the device attempts to execute all commands in non-privileged mode | | ``ansible_become_method`` | no | enable, sudo\* | Instructs the module to allow the become method to be specified for handling privilege escalation; if value is unspecified, the ANSIBLE_BECOME_METHOD environment variable value is used. | | ``ansible_become_pass`` | no | | Specifies the password to use if required to enter privileged mode on the remote device; if ``ansible_become`` is set to no this key is not applicable. | | ``ansible_network_os`` | yes | os9, null\* | This value is used to load the correct terminal and cliconf plugins to communicate with the remote device. | > **NOTE**: Asterisk (*) denotes the default value if none is specified. Dependencies ------------ The *os9_aaa* role is built on modules included in the core Ansible code. These modules were added in Ansible version 2.2.0. Example playbook ---------------- This example uses the *os9_aaa* role to configure AAA for radius and TACACS servers. It creates a *hosts* file with the switch details and corresponding variables. The hosts file should define the *ansible_network_os* variable with the corresponding Dell EMC Networking OS name. When *os9_cfg_generate* is set to true, the variable generates the configuration commands as a .part file in the *build_dir* path. By default, it is set to false and it writes a simple playbook that only references the *os9_aaa* role. **Sample hosts file** leaf1 ansible_host= **Sample host_vars/leaf1** hostname: leaf1 ansible_become: yes ansible_become_method: xxxxx ansible_become_pass: xxxxx ansible_ssh_user: xxxxx ansible_ssh_pass: xxxxx ansible_network_os: dellemc.os9.os9 build_dir: ../temp/os9 os9_aaa: radius_server: key: radius retransmit: 5 timeout: 40 deadtime: 2300 group: - name: RADIUS host: - ip: 2001:4898:f0:f09b::1002 key: 0 key_string: aaaa retransmit: 5 auth_port: 3 timeout: 2 state: present vrf: vrf_name: test source_intf: fortyGigE 1/2 state: absent state: present host: - ip: 2001:4898:f0:f09b::1002 key: xxx retransmit: 5 auth_port: 3 timeout: 2 state: present tacacs_server: key: 7 key_string: 9ea8ec421c2e2e5bec757f44205015f6d81e83a4f0aa52fa group: - name: TACACS host: - ip: 2001:4898:f0:f09b::1000 key: 0 key_string: aaa retransmit: 6 auth_port: 3 timeout: 2 state: present vrf: vrf_name: tes source_intf: fortyGigE 1/3 state: present state: present host: - ip: 2001:4898:f0:f09b::1000 key: 0 key_string: aa retransmit: 5 auth_port: 3 timeout: 2 state: present aaa_accounting: commands: - enable_level: 2 accounting_list_name: aa record_option: start-stop state: present - role_name: netadmin accounting_list_name: aa no_accounting: none suppress: True exec: - accounting_list_name: aaa no_accounting: true state: present dot1x: none rest: none aaa_authorization: commands: - enable_level: 2 authorization_list_name: aa use_data: local state: present - role_name: netadmin authorization_list_name: aa authorization_method: none use_data: local config_commands: True role_only: exec: - authorization_list_name: aaa authorization_method: if-authenticated use_data: local state: present aaa_authentication: auth_list: - name: default login_or_enable: login server: radius use_password: local state: present - name: console server: tacacs+ login_or_enable: login use_password: local aaa_radius: group: RADIUS auth_method: pap aaa_tacacs: group: TACACS line_terminal: vty 0: authorization: commands: - enable_level: 2 authorization_list_name: aa state: present - role_name: netadmin authorization_list_name: aa state: present exec: - authorization_list_name: aa state: present accounting: commands: - enable_level: 2 accounting_list_name: aa state: present - role_name: netadmin accounting_list_name: aa state: absent exec: accounting_list_name: aa state: present authentication: enable: login: console **Simple playbook to setup system - leaf.yaml** - hosts: leaf1 roles: - dellemc.os9.os9_aaa **Run** ansible-playbook -i hosts leaf.yaml (c) 2017-2020 Dell Inc. or its subsidiaries. All Rights Reserved.