topic Netconf Security in Controllers https://community.cisco.com/t5/controllers/netconf-security/m-p/4093540#M2036 <P>Hi,</P><P>&nbsp;</P><P>Apology for the basic question, I am enabling Netconf on XR &amp; XE platform but <SPAN>I am bit worried about security aspect of the Netconf so trying to </SPAN>grant least privilege access to the client.</P><P>&nbsp;</P><UL><LI>When configuring CoPP on Cisco Device, under control-plane section do I have to allow client to SSH and Netconf both or I can only allow Netconf and it will work?</LI></UL><P>&nbsp;</P><UL><LI>&nbsp;<SPAN>My Netconf user</SPAN> is authenticated / authorised by TACACS so is there anyway to restrict what can User do? for example user should be able to do get and get-config but shouldn't be able to run edit-config, reload chassis, etc..?</LI></UL><P>&nbsp;</P><UL><LI>Is there any way to monitor from XR and XE device what Netconf activity (get, get-config, edit-config, etc..)&nbsp; using SNMP polling (Any OIDs) or Trap or Syslog message to assist in Audit trail?&nbsp;</LI></UL><P>&nbsp;</P><P><SPAN>Any advice is greatly appreciated,</SPAN></P><P><SPAN>Ritesh</SPAN></P> Thu, 28 May 2020 11:55:38 GMT rthakker 2020-05-28T11:55:38Z Netconf Security https://community.cisco.com/t5/controllers/netconf-security/m-p/4093540#M2036 <P>Hi,</P><P>&nbsp;</P><P>Apology for the basic question, I am enabling Netconf on XR &amp; XE platform but <SPAN>I am bit worried about security aspect of the Netconf so trying to </SPAN>grant least privilege access to the client.</P><P>&nbsp;</P><UL><LI>When configuring CoPP on Cisco Device, under control-plane section do I have to allow client to SSH and Netconf both or I can only allow Netconf and it will work?</LI></UL><P>&nbsp;</P><UL><LI>&nbsp;<SPAN>My Netconf user</SPAN> is authenticated / authorised by TACACS so is there anyway to restrict what can User do? for example user should be able to do get and get-config but shouldn't be able to run edit-config, reload chassis, etc..?</LI></UL><P>&nbsp;</P><UL><LI>Is there any way to monitor from XR and XE device what Netconf activity (get, get-config, edit-config, etc..)&nbsp; using SNMP polling (Any OIDs) or Trap or Syslog message to assist in Audit trail?&nbsp;</LI></UL><P>&nbsp;</P><P><SPAN>Any advice is greatly appreciated,</SPAN></P><P><SPAN>Ritesh</SPAN></P> Thu, 28 May 2020 11:55:38 GMT https://community.cisco.com/t5/controllers/netconf-security/m-p/4093540#M2036 rthakker 2020-05-28T11:55:38Z