Sprintwave Blog

Welcome to the Sprintwave Blog

Posted July 2025 • by Sprintwave Team

This is where we’ll share news, technical guides, and stories from our work in network automation, wireless, and security. Stay tuned for regular updates!

📚 Blog Posts Menu

🔐 Preventing AD Lockouts When Automating Aruba Devices with Ansible

Posted August 2025 • by Sprintwave Team

When you're automating configuration backups or deployments across Aruba switches using Ansible, there's a real risk of getting your AD account locked out—especially if multiple SSH sessions fail or time out simultaneously. We hit this exact issue when a few unreachable devices caused a cascade of authentication failures.

The most common cause? Parallel sessions trying to authenticate at once, often against AOS devices that require an enable password or have strict SSH key exchange settings.

Key Fixes

Limit concurrency using forks: -f 2
Set connection timeouts and retries conservatively
Use ignore_errors: yes on fail-prone tasks
Split AOS switches into separate inventory groups for fine-tuned control

Example 1: Run your playbook with 2 concurrent forks

ansible-playbook backup.yml -i inventory.yaml -f 2

Example 2: Inventory group for AOS switches

all:
  children:
    aruba_aos:
      hosts:
        switch01:
        switch02:
        switch03:
      vars:
        ansible_network_os: arubanetworks.aos_switch.aos
        ansible_connection: network_cli
        ansible_user: ""
        ansible_password: ""
        ansible_become: true
        ansible_become_method: enable
        ansible_become_password: ""
        ansible_ssh_common_args: '-o KexAlgorithms=+diffie-hellman-group14-sha1'

Example 3: Graceful error handling in the playbook

- name: Backup running config
  hosts: aruba_aos
  gather_facts: no

  tasks:
    - name: Get running config
      arubanetworks.aos_switch.aos_command:
        commands: show running-config
      register: output
      ignore_errors: yes

    - name: Save config to file
      copy:
        content: "{{ output.stdout[0] }}"
        dest: "backups/.txt"
      when: output.stdout is defined

With these steps in place, our backups completed without triggering any AD lockouts, even when some switches timed out or had outdated SSH settings. We could re-run the playbook safely without re-auth failures.

Pro tip: Aruba AOS devices often require an enable password even for read-only commands. Make sure it's set correctly in your inventory or vault.

#Ansible #ArubaAOS #NetworkAutomation #ADLockout #SecureAutomation #AOSBackups #InfrastructureAsCode

💾 Backing Up Aruba CX and AOS Switch Configurations with Ansible

Posted August 2025 • by Sprintwave Team

Managing backups across mixed Aruba environments? Whether you're running the modern Aruba CX (AOS-CX) or older AOS switches, Ansible provides a flexible way to automate configuration snapshots—without logging into each device manually.

Goal
Connect to both Aruba CX and legacy AOS switches via SSH and back up their current configurations to structured text files.

📁 Step 1: Use a Structured Inventory

Create an inventory.ini with groupings for each platform:

[aruba_cx]
cx-switch-1
cx-switch-2

[aruba_aos]
aos-switch-1
aos-switch-2

[aruba_cx:vars]
ansible_connection=network_cli
ansible_network_os=arubanetworks.aoscx.aoscx
ansible_user={{ vault_username }}
ansible_password={{ vault_password }}

[aruba_aos:vars]
ansible_connection=network_cli
ansible_network_os=arubanetworks.aos_switch.aos
ansible_user={{ vault_username }}
ansible_password={{ vault_password }}
ansible_become=yes
ansible_become_method=enable
ansible_become_password=
ansible_ssh_common_args='-o KexAlgorithms=+diffie-hellman-group14-sha1'

📝 Step 2: Backup Playbook

This playbook handles both switch types using conditional logic and the appropriate command module:

- name: Backup running configs from Aruba switches
  hosts: aruba_cx:aruba_aos
  gather_facts: no

  tasks:
    - name: Get config from Aruba CX
      when: "'aoscx' in ansible_network_os"
      arubanetworks.aoscx.aoscx_command:
        commands: show running-config
      register: cx_output

    - name: Get config from Aruba AOS
      when: "'aos' in ansible_network_os"
      arubanetworks.aos_switch.aos_command:
        commands: show running-config
      register: aos_output

    - name: Save config to file (CX)
      when: cx_output is defined
      copy:
        content: "{{ cx_output.stdout[0] }}"
        dest: "./backups/{{ inventory_hostname }}.txt"

    - name: Save config to file (AOS)
      when: aos_output is defined
      copy:
        content: "{{ aos_output.stdout[0] }}"
        dest: "./backups/{{ inventory_hostname }}.txt"

▶️ Step 3: Run the Backup

Run the playbook while limiting concurrency to avoid AD lockouts:

ansible-playbook backup.yml -i inventory.ini -f 2

🔐 Step 4: Secure Credentials with Vault

Store your login details safely with ansible-vault. Create vault.yml:

vault_username: netadmin
vault_password: SuperSecurePassword
vault_enable_password: EnablePasswordIfNeeded

Then reference it in the playbook via:

vars_files:
  - group_vars/aruba_aos/vault.yml

#ArubaCX #ArubaAOS #AnsibleAutomation #ConfigBackups #AOSCX #ArubaSwitching #InfraOps #NetworkAutomation

🔍 Why Your 100G Single Mode Optic Isn’t Working in Port 1/1/49 on the Aruba 8360 Switch

Posted July 2025 • by Sprintwave Team

If you're deploying 100G optics on the Aruba 8360 (JL720C) switch, here's a critical detail that might save you hours of troubleshooting.

Recently, I encountered an issue where a 100G FR1 single mode transceiver failed to initialize in port 1/1/49. After reviewing the hardware guide, I discovered that in power-to-port airflow configurations, Aruba only supports ER4L and FR1 transceivers in ports 1/1/50 and 1/1/52—and only if the ambient temperature is 35°C or lower.

This limitation is due to thermal design constraints, not a faulty optic or misconfiguration.

Key Takeaway
If your 100G single mode optic isn’t working in port 49 on an Aruba 8360 switch, check:

Airflow direction (power-to-port vs. port-to-power)
Transceiver type (FR1 or ER4L)
Ambient temperature (must be ≤ 35°C)
Supported ports (use ports 50 or 52 for these optics)

As 100G optics become more common in modern data center networks, it’s crucial to align your thermal and airflow planning with hardware design limits.

Pro tip: Always consult the Aruba Transceiver Guide or Hardware Installation Guide when deploying high-speed optics.

#Aruba8360 #100G #SingleMode #FR1 #DataCenterNetworking #ArubaSwitching #Port1/1/49 #NetworkEngineering

How to Authenticate and Query Aruba ClearPass API for Static Host Lists

Posted July 2025 • by Sprintwave Team

Working with the Aruba ClearPass REST API can be powerful, but there are a few unintuitive steps to get started. Here’s how to authenticate and pull static host list data using Postman.

Step-by-Step Guide

Login to the ClearPass Policy Manager GUI.
In the top right, click Guest to switch to the guest interface.
Navigate to Administration → API Services → API Clients.
Create a new API Client with appropriate scopes and token lifetime.
Click the client and choose Generate Access Token. Copy the token.
Open Postman and set the request URL to: https://<your-clearpass-url>/api/static-host-list.
In Postman, use the Bearer Token authentication type and paste the copied token.
Send the request to receive a list of static host entries in JSON format.

Sample JSON Response

{
  "_embedded": {
    "items": [
      {
        "id": 3001,
        "name": "Test-Test",
        "host_entries": [
          {
            "host_address": "00-00-AA-22-33-44",
            "host_address_desc": "Test-44"
          }
        ]
      },
      {
        "id": 3002,
        "name": "sprintwave VLAN 20",
        "host_entries": [
          {
            "host_address": "66-55-44-33-22-11",
            "host_address_desc": "Device1234"
          }
        ]
      }
    ]
  }
}

This API call is especially useful for inventorying or validating MAC address-based static host groups within your ClearPass environment.

Pro tip: You can also browse all available API endpoints using the ClearPass API Explorer at: https://<your-clearpass-url>/api-docs.

#ClearPass #ArubaNetworks #NetworkAutomation #API #Postman #StaticHostList #NetworkSecurity

Cisco ISE vs. Aruba ClearPass: Network Access Control Architecture Compared

Posted July 2025 • by Sprintwave Team

Cisco ISE (Identity Services Engine) and Aruba ClearPass (ClearPass Policy Manager or CPPM) are two of the most widely adopted solutions for network access control (NAC). Both platforms offer centralized policy enforcement, secure access, and compliance controls—but differ slightly in how they’re architected and deployed.

Deployment Options

Both Cisco ISE and Aruba ClearPass support flexible deployment models, including virtual appliances, physical hardware, and cloud-based instances. Regardless of the deployment type, each server is called a node. This allows organizations to scale and deploy based on their infrastructure strategy.

Cluster Architecture

A typical NAC deployment involves multiple nodes forming a cluster. These clusters can range from small (2 nodes) to large-scale (up to 50+ nodes), depending on network size.

Cisco ISE: The central configuration node is called the Policy Administration Node (PAN). A secondary PAN can be added for redundancy.
Aruba ClearPass: The main configuration node is the Publisher, with an optional Standby Publisher for failover support.

RADIUS Request Handling

Both platforms are RADIUS-based and capable of handling authentication and authorization efficiently—but with different terminologies:

Cisco ISE: Nodes that handle RADIUS traffic are called Policy Services Nodes (PSNs).
Aruba ClearPass: These are referred to as Subscribers. A ClearPass node can act as both a Subscriber and a Publisher, depending on role assignment.

Conclusion

While both Cisco ISE and Aruba ClearPass offer enterprise-grade NAC features, the differences in architecture and terminology are worth noting. Both systems are scalable, secure, and proven in real-world deployments. The choice between them often comes down to vendor alignment, feature needs, and environment compatibility.

#CiscoISE #ArubaClearPass #NAC #NetworkSecurity #ZeroTrust #RADIUS #NetworkArchitecture

EnOcean Dongle Issues with Cisco Catalyst 9800 and APs

Posted June 2024 • by Joey Scott

If you're working with **EnOcean USB dongles** and **Cisco Catalyst 9800 wireless controllers**, here’s something important we discovered during deployment—especially for Catalyst 9166 APs running version 17.9.5.

What Is EnOcean?

EnOcean produces wireless IoT dongles that plug directly into access points and communicate with smart devices (e.g., power clamps) using the 868 MHz band (in the UK). This frequency is **non-interfering with Wi-Fi**, making EnOcean a good fit for enterprise IoT environments.

How It Works with Cisco APs

A lightweight Docker container runs on the AP to interface with the EnOcean dongle, forwarding data to a cloud or on-prem EnOcean connector. This container can be deployed manually or via **Cisco DNA Center (DNAC)**.

The Problem with Version 17.9.5

On version 17.9.5 (gold standard at time of writing), EnOcean dongles are **not detected properly** on Catalyst 9166 APs. Attempts to deploy the Docker container using DNAC result in: ERR_AH_-1043 – Requested USB device not found on the AP The same error appears when attempting CLI-based deployment.

Initial Troubleshooting

Initially, the issue appeared to be unsupported USB device type (PID/VID/VER 403/6015/1000)—not visible via show usb list. With assistance from EnOcean, we enabled the USB module manually:

test usb load module ftdi-sio vendor-id 403 product-id 6015 version 1000
test usb disable
test usb enable

After this, the dongle appeared in the USB list, but deploying the application still failed with the same error.

The Fix

Upgrading the controller and AP firmware to version 17.12.4 resolved the issue. After the upgrade, the application installed successfully and the dongle functioned as expected.

#Cisco9800 #Catalyst9166 #EnOcean #DNAC #IoT #USB #Docker #CiscoWLC #WirelessTroubleshooting