Managing Password in Configuration Templates

All IAP and switch templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from HPE Aruba Networking Central to the switch does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command.

When configuring a password, you must add the include-credentials command in the template. This command stores the password in the running-config file associated with the switch. HPE Aruba Networking Central automatically executes this command while reading the switch configuration.
For AOS-CX switches, you must configure the password only in plaintext.

Password for Switches

The following format of the passwords can be set on AOS-S series:

password manager plaintext <string> password manager sha1 <string> password manager sha256 <string> password manager user-name <string> plaintext <string> password manager user-name <string> sha1 <string> password manager user-name <string> sha256 <string>

The following format of the passwords can be set on AOS-CX switches:

user admin group administrators password plaintext <string>

Password for APs

The following format of the passwords can be set on the APs:

mgmt-user &lt;STRING:username:User_name&gt; { &lt;STRING:password:Password&gt; } hash-mgmt-user &lt;STRING:username:User_name&gt; password cleartext &lt;STRING:cleartext_password:Password&gt; hash-mgmt-user &lt;STRING:username:User_name&gt; password hash &lt;STRING:hash_password:Password&gt;

Setting Password using Variables

User cannot enter the entire password line in a variable. The following examples show the valid and invalid format for entering password using a variable.

Valid format where the variable contains only the password (for example, %pass_var% = Aruba@123) for the device:

hostname "Aruba-2930M-24G" password manager plaintext "%pass_var%" include-credentials no cwmp enable

Invalid format where the variable contains the password command (for example, %pass_var% = password manager plaintext Aruba@123) for the device:

hostname "Aruba-2930M-24G" %pass_var% include-credentials no cwmp enable