Catalyst Center, NETCONF and default method list

Toy Thompson · ‎06-23-2025

I am running Catalyst Centre 2.3.7.x and have a number of devices (3650, 3850, 9K switches and 9800 WLCs) onboarded with the Catalyst Centre using SSH SNMP v3 and NETCONFT on port 830.
I configured the default method lists when I onboarded the devices or after they were onboarded, I enabled NETCONF on the device and configured the default method list and devices are in full managed state.
Since using defaults are a security risk, I do not want to use the default method list on the device but if I change the method list NETCONF stops working.
Is this the expected behavior or can I use the default method list for first time connectivity/onboarding then change it. If I have to use the default method list will this change in the future?

Preston Chilcote · ‎06-23-2025

I'd be interested to hear exactly how using a default method list is a security concern (other than the generic "we shouldn't use default for anything"), but just in case, there were commands added (in 17.9 I think) to allow netconf to use a non default list:

yang-interfaces aaa authentication method-list <authMethodListName>
yang-interfaces aaa authorization method-list<authZMethodListName>

Toy Thompson · ‎06-25-2025

Thank you for the response...I should rephrase the statement yes "default method list does not align with our client or our device hardening policies". I verified the commands exist on the 9K WLCs the current 9K switches are running 17.6.5 so we will need to upgrade before we can test. I will post results here after testing.
What do we do with the 3650 and 3850 switches managed by Catalyst Centre and using NETCONF

Preston Chilcote · ‎06-25-2025

I don't think there's anything that can be done for 3650/3850 in regards to netconf to avoid the default method list, but you'll still be able to use most of Cat Center features even without netconf. As you know those switches are very close to End of Life, so hopefully there is a plan for a hardware refresh.