Skip to content

Define 'mfa' model for the Dell Enterprise SONiC collection #293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions models/enterprise_sonic/mfa/deleted_example_01.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# Using deleted
#
# Before state:
# -------------
#
# sonic# show running-configuration mfa
# mfa key-seed U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg= encrypted
# mfa client-secret U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0 encrypted
# mfa security-profile mSecurityProfile
# mfa rsa-server security-profile rSecProfile
# mfa rsa-server host rsaserver.che-lab.it port 1030 client-id sonicdevtest.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted connection-timeout 29 read-timeout 149
#
# sonic# show running-configuration | grep "cac-piv"
# aaa cac-piv cert-user common-name
# aaa cac-piv cert-user-match 10digit-username
# aaa cac-piv security-profile cSecurityProfile
# sonic#


- name: Delete specified mfa configuration
dellemc.enterprise_sonic.sonic_mfa:
config:
mfa_global:
key_seed: 'U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg='
key_seed_encrypted: true
client_secret: 'U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0'
client_secret_encrypted: true
rsa_global:
security_profile: 'rSecProfile'
rsa_servers:
hostname: 'rsaserver.che-lab.it'
server_port: 1030
client_id: 'sonicdevtest.che-lab.it'
client_key: 'U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot'
client_key_encrypted: true
connection_timeout: 29
read_timeout: 149
cac_piv_global:
security_profile: 'cSecurityProfile'
cert_username_field: 'common-name'
state: deleted


# After state:
# ------------
#
# sonic# show running-configuration mfa
# mfa security-profile mSecurityProfile
#
# sonic# show running-configuration | grep "cac-piv"
# aaa cac-piv cert-user-match 10digit-username
# sonic#
33 changes: 33 additions & 0 deletions models/enterprise_sonic/mfa/deleted_example_02.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Using deleted
#
# Before state:
# -------------
#
# sonic# show running-configuration mfa
# mfa key-seed U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg= encrypted
# mfa client-secret U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0 encrypted
# mfa security-profile mSecurityProfile
# mfa rsa-server security-profile rSecProfile
# mfa rsa-server host rsaserver.che-lab.it port 1030 client-id sonicdevtest.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted connection-timeout 29 read-timeout 149
#
# sonic# show running-configuration | grep "cac-piv"
# aaa cac-piv cert-user common-name
# aaa cac-piv cert-user-match 10digit-username
# aaa cac-piv security-profile cSecurityProfile
# sonic#


- name: Delete all mfa configurations
dellemc.enterprise_sonic.sonic_mfa:
config:
state: deleted


# After state:
# ------------
#
# sonic# show running-configuration mfa
# sonic#
#
# sonic# show running-configuration | grep "cac-piv"
# sonic#
52 changes: 52 additions & 0 deletions models/enterprise_sonic/mfa/merged_example_01.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# Using merged
#
# Before State:
# -------------
#
# sonic# show running-configuration mfa
# sonic#
#
# sonic# show running-configuration | grep "cac-piv"
# sonic#


- name: Merge provided MFA configurations
dellemc.enterprise_sonic.sonic_mfa:
config:
mfa_global:
security_profile: 'mSecurityProfile'
key_seed: 'sonic'
key_seed_encrypted: true
client_secret: 'U2FsdGVkX18mPdwkM1z24i7lxMtqNZR9p2q3aa6YXR16OfDxQXCR9z9I0lQZpVjE!'
client_secret_encrypted: true
rsa_global:
security_profile: 'rSecProfile'
rsa_servers:
hostname: 'rsaserver.che-lab.it'
server_port: 1030
client_id: 'sonicdevtest.che-lab.it'
client_key: 'aplr05825jshusp80699scuv62u5l3lu63wxf66b0y883w92677ac0c9m0lwv6o8'
client_key_encrypted: true
connection_timeout: 29
read_timeout: 149
cac_piv_global:
security_profile: 'cSecurityProfile'
cert_username_field: 'user-principal-name'
cert_username_match: '10digit-username'
state: merged


# After State:
# ------------
#
# sonic# show running-configuration mfa
# mfa key-seed U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg= encrypted
# mfa client-secret U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0 encrypted
# mfa security-profile mSecurityProfile
# mfa rsa-server security-profile rSecProfile
# mfa rsa-server host rsaserver.che-lab.it port 1030 client-id sonicdevtest.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted connection-timeout 29 read-timeout 149
#
# sonic# show running-configuration | grep "cac-piv"
# aaa cac-piv cert-user user-principal-name
# aaa cac-piv cert-user-match 10digit-username
# aaa cac-piv security-profile cSecurityProfile
32 changes: 32 additions & 0 deletions models/enterprise_sonic/mfa/overridden_example_01.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Using overridden
#
# Before state:
# -------------
#
# sonic# show running-configuration mfa
# mfa key-seed U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg= encrypted
# mfa client-secret U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0 encrypted
# mfa security-profile mSecurityProfile
# mfa rsa-server security-profile rSecProfile
# mfa rsa-server host sonicrsaserver.che-lab.it port 1030 client-id sonic.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted connection-timeout 29 read-timeout 149
#
# sonic# show running-configuration | grep "cac-piv"
# aaa cac-piv cert-user user-principal-name
# aaa cac-piv cert-user-match 10digit-username
# aaa cac-piv security-profile cSecurityProfile


- name: Override device configuration of mfa with provided configuration
dellemc.enterprise_sonic.sonic_mfa:
config:
cac_piv_global:
cert_username_match: 'first-name'
state: overridden


# After state:
# ------------
#
# sonic# show running-configuration | grep "cac-piv"
# aaa cac-piv cert-user-match first-name

30 changes: 30 additions & 0 deletions models/enterprise_sonic/mfa/replaced_example_01.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Using replaced
#
# Before state:
# -------------
#
# sonic# show running-configuration mfa
# mfa key-seed U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg= encrypted
# mfa rsa-server host rsaserver.che-lab.it port 1030 client-id sonicdevtest.che-lab.it client-key U2FsdGVkX1+xnsxfUrqCvBQg0KkPUm11R8Vpn2cXLHCWzL59k3Jm4/OrRiMOemPJccnEa8sMuynOAaySpHkaMOePtpedW0aApp+qicIF2Hz32LR4vB07b7OSx7OaEZBj encrypted connection-timeout 16 read-timeout 129


- name: Replace specified mfa rsa-server configuration
dellemc.enterprise_sonic.sonic_mfa:
config:
rsa_servers:
- hostname: 'rsaserver.che-lab.it'
server_port: 1050
client_id: 'sonicdevtest.che-lab.it'
client_key: 'aplr05825jshusp80699scuv62u5l3lu63wxf66b0y883w92677ac0c9m0lwv6o8'
client_key_encrypted: true
connection_timeout: 29
read_timeout: 149
state: replaced


# After state:
# ------------
#
# sonic# show running-configuration mfa
# mfa key-seed U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg= encrypted
# mfa rsa-server host rsaserver.che-lab.it port 1050 client-id sonicdevtest.che-lab.it client-key U2FsdGVkX1/b1Tjka6pWv1BjwGd1I8cfjXxBIIJ6ZK/JaZpGgPbNAnw6WmdstRWJz49A+bymj6gJfkGjbzlWQhGCGi4VofPStOdNktqDcIyk33AaDkO+awkzyi7HRxcB encrypted connection-timeout 29 read-timeout 149
157 changes: 157 additions & 0 deletions models/enterprise_sonic/mfa/sonic_mfa.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
---
GENERATOR_VERSION: '1.0'

ANSIBLE_METADATA: |
{
'metadata_version': '1.1',
'status': ['preview'],
'supported_by': 'community',
'license': 'Apache 2.0'
}
NETWORK_OS: sonic
RESOURCE: mfa
COPYRIGHT: Copyright 2025 Dell Inc. or its subsidiaries. All Rights Reserved

DOCUMENTATION: |
module: sonic_mfa
version_added: ''
short_description: Manage Multi-factor authentication (MFA) configurations on SONiC.
description:
- This module provides configuration management of MFA
parameters for devices running SONiC.
- Pre-configured host cert is required for MFA security profile, and
ca-cert for RSA/CAC-PIV security profiles.
author: 'Divya Narendran (@Divya-N3)'
options:
config:
description:
- Specifies MFA configurations.
type: dict
suboptions:
mfa_global:
description:
- MFA Global configuration.
type: dict
suboptions:
key_seed:
description:
- Seed for generating secure key in MFA service.
- Plain text seed i.e. I(key_seed_encrypted=false) will be stored in encrypted format in
running-config, so idempotency will not be maintained and hence the task output will
always be I(changed=true).
type: str
key_seed_encrypted:
description:
- Indicates whether I(key_seed) is plain text or encrypted.
type: bool
security_profile:
description:
- Security profile contains the certificate for MFA service.
type: str
client_secret:
description:
- Password used in basic authorization header for MFA REST API.
- Plain text password i.e. I(client_secret_encrypted=false) will be stored in encrypted
format in running-config, so idempotency will not be maintained and hence the task
output will always be I(changed=true).
type: str
client_secret_encrypted:
description:
- Indicates whether I(client_secret) is plain text or encrypted.
type: bool
rsa_global:
description:
- RSA Global configuration.
type: dict
suboptions:
security_profile:
description:
- Security profile with CA-cert for validating RSA SecurID server.
type: str
rsa_servers:
description:
- RSA Server configuration.
type: list
elements: dict
suboptions:
hostname:
description:
- RSA server's hostname or IP address.
type: str
required: True
server_port:
description:
- Port number of the RSA SecurID server.
- Range 1025-49151.
type: int
client_id:
description:
- Unique identifier of the system as a client of SecurID service, assigned by SecurID service.
type: str
client_key:
description:
- Key associated with the client-id, assigned by SecurID service.
- Plain text key i.e. I(client_key_encrypted=false) will be stored in encrypted format
in running-config, so idempotency will not be maintained and hence the task output
will always be I(changed=true).
type: str
client_key_encrypted:
description:
- Indicates whether I(client_key) is plain text or encrypted.
type: bool
connection_timeout:
description:
- Timeout in seconds for connection to the SecurID server.
- Range 1-30.
type: int
read_timeout:
description:
- Timeout in seconds to read from the SecurID server.
- Range 1-150.
type: int
cac_piv_global:
description:
- CAC-PIV Global configuration.
type: dict
suboptions:
security_profile:
description:
- Security profile for SSH access with CAC-PIV.
type: str
cert_username_field:
description:
- SSH user certificate field for matching with SSH login username.
type: str
choices:
- common-name
- common-name-or-user-principal-name
- user-principal-name
cert_username_match:
description:
- Match option to parse the username from respective certificate field.
type: str
choices:
- 10digit-username
- first-name
- username-as-is
- username-without-domain
state:
description:
- The state of the configuration after module completion.
- C(merged) - Merges provided MFA configuration with on-device configuration.
- C(replaced) - Replaces on-device MFA configuration with provided configuration.
- C(overridden) - Overrides all on-device MFA configurations with the provided configuration.
- C(deleted) - Deletes on-device MFA configuration.
type: str
choices:
- merged
- deleted
- replaced
- overridden
default: merged
EXAMPLES:
- deleted_example_01.txt
- deleted_example_02.txt
- merged_example_01.txt
- replaced_example_01.txt
- overridden_example_01.txt