CNOS Platform Options

CNOS supports Enable Mode (Privilege Escalation). This page offers details on how to use Enable Mode on CNOS in Ansible.

Connections Available

Protocol SSH

uses SSH keys / SSH-agent if present

accepts -u myuser -k if using password

Indirect Access via a bastion (jump host)
Connection Settings ansible_connection: network_cli
Enable Mode
(Privilege Escalation)
supported: use ansible_become: yes with ansible_become_method: enable and ansible_become_password:
Returned Data Format stdout[0].

For legacy playbooks, CNOS still supports ansible_connection: local. We recommend modernizing to use ansible_connection: network_cli as soon as possible.

Using CLI in Ansible

Example CLI group_vars/cnos.yml

ansible_connection: network_cli
ansible_network_os: cnos
ansible_user: myuser
ansible_password: !vault...
ansible_become: yes
ansible_become_method: enable
ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
  • If you are using SSH keys (including an ssh-agent) you can remove the ansible_password configuration.
  • If you are accessing your host directly (not through a bastion/jump host) you can remove the ansible_ssh_common_args configuration.
  • If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ProxyCommand directive. To prevent secrets from leaking out (for example in ps output), SSH does not support providing passwords via environment variables.

Example CLI Task

- name: Retrieve CNOS OS version
    commands: show version
  when: ansible_network_os == 'cnos'


Never store passwords in plain text. We recommend using SSH keys to authenticate SSH connections. Ansible supports ssh-agent to manage your SSH keys. If you must use passwords to authenticate SSH connections, we recommend encrypting them with Ansible Vault.