topic Re: NETCONF isn't working with DNAC + WLC 9800 + TACACs auth,autho in Wireless

NETCONF isn't working with DNAC + WLC 9800 + TACACs auth,autho

Scott12 — Mon, 26 Jun 2023 19:59:08 GMT

Hi there,

I am trying to add our WLC 9800 in DNA Center, but for some reason we're the NETCONF isn't working. NETCONF is already configured on the WLC with the SNMP community is fine until here. When I go to the DNA Center and try to validate the credencials I can see this:

CLI (check mark OK)
SNMP (check mark OK)
NETCONF (X in red color)

As I mentioned before, the NETCONF is configured and to be able to access the WLC we use TACACs throughout Cisco ISE, all of our accounts have the 15 priviledge.

I was able to catch this log on the wlc 9800

%5-authentication failed: chassis 1 R0/0: dmiauthd: Authentication failure for netconf over ssh

And below you can find my configuration about AAA authentication.

aaa new-model
aaa group server tacacs+ SRV_Tacacs
server name Serv_Tacacs_172.16.21.11
server name Serv_Tacacs_172.21.11.11
aaa authentication login default local
aaa authentication login Tacacs-authentication group SRV_Tacacs local
aaa authorization exec Tacacs-authorization group SRV_Tacacs if-authenticated
aaa authorization network default local
aaa accounting exec Tacacs_Authorization_Accounting start-stop group SRV_Tacacs
!
!
aaa session-id common
ip http authentication aaa login-authentication Tacacs-authentication
ip http authentication aaa exec-authorization Tacacs-authorization
commands configure include aaa attribute list
commands configure include aaa attribute
commands configure include aaa
commands exec include show aaa local
commands exec include show aaa
wireless aaa policy default-aaa-policy
aaa-override

I am not sure if I have to add or modify something else on ISE side or on the WLC.

Any thought?

Thanks in advance

Re: NETCONF isn't working with DNAC + WLC 9800 + TACACs auth,autho

Ambuj M — Mon, 26 Jun 2023 20:20:42 GMT

I think NETCONF has limitation where is only works with "default" AAA method lists for login and authorization, make sure you are only using default method list and not others, give it a try. Share result after change.

Re: NETCONF isn't working with DNAC + WLC 9800 + TACACs auth,autho

Flavio Miranda — Mon, 26 Jun 2023 20:40:12 GMT

https://community.cisco.com/t5/cisco-digital-network-architecture-dna/9800-wlc-netconf-failing-with-dna/td-p/4554567

For first setup, you need to use local auth

aaa authentication login default local

aaa authorization exec default local

Re: NETCONF isn't working with DNAC + WLC 9800 + TACACs auth,autho

Scott12 — Tue, 27 Jun 2023 16:22:50 GMT

Hi,

Let see if I understood, what I have to do is remove my tacacs configuration and use the local auth, then reconfigure the tacacs authentication, is it?

Re: NETCONF isn't working with DNAC + WLC 9800 + TACACs auth,autho

Flavio Miranda — Tue, 27 Jun 2023 16:36:07 GMT

Yeah, for discovery use only local. Then, after discovery you can push the proper tacacs config to device during the provisioning

Re: NETCONF isn't working with DNAC + WLC 9800 + TACACs auth,autho

Scott12 — Tue, 27 Jun 2023 18:47:13 GMT

Ok gotcha, I will go ahead and will modify the tacacs config, I will put the aaa local and finally add again the tacacs config.

I come back tomorrow and I will put it here my inputs.

Re: NETCONF isn't working with DNAC + WLC 9800 + TACACs auth,autho

AseebKatteri6492 — Thu, 21 Nov 2024 09:42:57 GMT

Did you fix this issue by adding the local authentication ? could you please update the status here ? I am also facing the same issue

Re: NETCONF isn't working with DNAC + WLC 9800 + TACACs auth,autho

shanewatson5091 — Sun, 17 Aug 2025 21:20:38 GMT

As already provided, you can directly go to the :https://community.cisco.com/t5/cisco-catalyst-center/9800-wlc-netconf-failing-with-dna/td-p/4554567 to resolve your issue.

Re: NETCONF isn't working with DNAC + WLC 9800 + TACACs auth,autho

Jrmonegro — Fri, 29 Nov 2024 14:12:16 GMT

Im facing the same issue as well, and I already did:

add aaa login default local:
aaa authentication login default group ISE-Tacacs+ local
aaa authentication login Tacacs-Auth local group ISE-Tacacs+
aaa authorization exec default group ISE-Tacacs+ local
aaa authorization exec Tacacs-Autho local group ISE-Tacacs+

My vtys line:

line vty 0 4
authorization exec Tacacs-Autho
accounting exec Tacacs-Autho-VTY
logging synchronous
login authentication Tacacs-Auth
length 0
transport input ssh
line vty 5 15
authorization exec Tacacs-Autho
accounting exec Tacacs-Autho-VTY
logging synchronous
login authentication Tacacs-Auth
transport input ssh

in wlc logs:

%DMI-5-AUTHENTICATION_FAILED: Chassis 1 R0/0: dmiauthd: Authentication failure from X.X.X.X:32568 for netconf over ssh.

Netconf still not working

Re: NETCONF isn't working with DNAC + WLC 9800 + TACACs auth,autho

Jrmonegro — Fri, 29 Nov 2024 14:13:56 GMT

Is it work? remove tacacs configuration, and use only local for discovery process then add again tacacs config?

Re: NETCONF isn't working with DNAC + WLC 9800 + TACACs auth,autho

liviu.gheorghe — Fri, 29 Nov 2024 19:15:55 GMT

In order for this to work, you need

authorization exec default

on your vty lines.

Hope this helps.