Re: Failed to SSH to Cisco SMB SG-350 switches using Ansible

ddd5 · ‎11-13-2022

Hello,

I'm trying to use Ansible to configure Cisco SMB SG-350 switches , but its failing to SSH, when trying to gather facts. the error message appears is:

fatal: [10.75.2.2]: FAILED! => {"changed": false, "msg": "Failed to authenticate: ('Bad authentication type', ['']) (allowed_types=[''])"}

[hesham.samir@ncm1 u000]$ ansible-playbook -i routers_switches gather_facts_switches.yml

PLAY [Gather Facts] ****************************************************************************************************************************************************************************************

TASK [CiscoSMB - Gather Facts - subset default] ************************************************************************************************************************************************************
[WARNING]: ansible-pylibssh not installed, falling back to paramiko
[WARNING]: ansible-pylibssh not installed, falling back to paramiko
[WARNING]: ansible-pylibssh not installed, falling back to paramiko
[WARNING]: ansible-pylibssh not installed, falling back to paramiko
[WARNING]: ansible-pylibssh not installed, falling back to paramiko
fatal: [10.75.2.2]: FAILED! => {"changed": false, "msg": "Failed to authenticate: ('Bad authentication type', ['']) (allowed_types=[''])"}
fatal: [10.69.13.2]: FAILED! => {"changed": false, "msg": "Failed to authenticate: ('Bad authentication type', ['']) (allowed_types=[''])"}

I can SSH directly to the switches with no issues. did anyone see issue before?

Thanks in advance for help.

Regards,

balaji.bandi · ‎11-13-2022

post YML file.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ddd5 · ‎11-13-2022

Below is the playbook YML file.

I'm using ansible_network_os: qaxi.ciscosmb.ciscosmb in the host file.

- name: Gather Facts

gather_facts: no

hosts: switches

vars:

- configs_dir: configs

tasks:

###

# Collect data

###

- name: CiscoSMB - Gather Facts - subset default

qaxi.ciscosmb.ciscosmb_facts:

gather_subset:

- default

# when: ansible_network_os == 'qaxi.ciscosmb.ciscosmb'

- name: CiscoSMB - Gather Facts - subset config

qaxi.ciscosmb.ciscosmb_facts:

gather_subset:

- config

# when: ansible_network_os == 'qaxi.ciscosmb.ciscosmb'

- name: Create configuration directory

local_action: file path={{ configs_dir }} state=directory

run_once: true

check_mode: no

changed_when: no

- name: Save running config

local_action: copy content={{ ansible_net_config }} dest={{ configs_dir }}/{{ inventory_hostname }}_net_config

Aleksandra Dargiel · ‎11-17-2022

Please try to enable password authentication on the switch:

Security > SSH server > SSH user authentication > SSH User Authentication by Password

ddd5 · ‎11-18-2022

Hi Aleksandra,

Thanks for your reply. in fact GUI is disabled, but SSH is enabled on the switch. also, I can SSH directly from the Ansible Server, but Ansible playbook cannot do. below is the output from direct SSH.

[root@srv1]$ ssh user1@10.69.13.2

*********************************************************************
This node is property of
Unauthorized Access Prohibited. Access will be monitored
*********************************************************************

User Name:user1
Password:*************

S01#sh management access-class
Management access-class is enabled, using access-list MGMT

S01#sh management access-list

MGMT
----
permit ip-source 10.0.125.0 mask 255.255.255.0 service ssh
permit ip-source 10.69.13.0 mask 255.255.255.0 service ssh
permit ip-source 192.168.211.16 mask 255.255.255.240 service ssh
permit ip-source 10.172.1.0 mask 255.255.255.0 service ssh
permit ip-source 192.168.211.16 mask 255.255.255.240 service telnet
permit ip-source 10.172.1.0 mask 255.255.255.0 service telnet
permit ip-source 10.0.125.0 mask 255.255.255.0 service telnet
! (Note: all other access implicitly denied)

console-only
------------
deny
! (Note: all other access implicitly denied)

Thanks,

Aleksandra Dargiel · ‎11-21-2022

I see... and is it working when no MGM ACL?

ddd5 · ‎11-25-2022

Hi Aleksandra .. good point.

I tried removing the MGMT ACL, but it gave me the same results.

however, I found something interesting, when I try to SSH directly to the swicth, it give a propmt to enter my username again (although I already entered it in the SSH command). I suspect this may cause some problems with Ansible not able to login to the switch.

If I tried to enable password-auth on the switch (ip ssh password-auth command), would this solve the problem and casue the switch to prompt only for the password ?

Thanks & Regards,