Thank you.

I followed the instruction, but I still get an error message in Netconf.
I did a tcpdump capture in DNA and I noticed that the Switch is always sending a "Reset" to the connection.

Any advice?

which device model and version are you trying to disconvery?

Hi, 
Thank you for your reply.

I have these devices, and all of them failed in NETCONF:

cisco C9800-80-K9
Cisco IOS-XE
ROM: 16.12(5r)
Sw version 17.03.07.

C9300-48P
ROM: IOS-XE ROMMON
SW version 16.9.3

C9500-16X
ROM: IOS-XE ROMMON
SW Version: 16.12.3a

Disable netconf and enable again.

Test with ssh < ip address>  830

When I try to access a Switch with DNAC default settings:

I don´t know if the text in the image is visible. The output is:
Unable to negotiate with x.x.x.x port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
I already tried to add this algorithm to DNAC:
$ nano /etc/ssh/ssh_config

KexAlgorithms diffie-hellman-group-exchange-sha1
After adding this line in ssh_config file:

The error message is because I have FIPS enable, but I don't have FIPS enable. I have checked it

When I tried to do it for the WLC 9800 with DNAC default settings:

If you could give me any advice about it, I would be very grateful

What? Do you have FIPS enable on DNAC?

Man, if you do, you need to reimage the server.

No, I don't have FIPS enabled.
This is why I don´t understand this message.
Look:

OK.

 Try this.  Enable SSH on the devices again.

crypto key generate rsa

user 2048 key lengh

-- Switch:

-- WLC:
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-3942078477
ssh-rsa...................

Sorry, some of the images lost all quality, when I upload them

Same issue 

It could be. Are using tacacs?

As per your introduction I though you were aware of that.

In the Switches I only have Radius, and WLC I have both, but only Radius is assigned to VTY lines.

My doubt is because when I try the same setup in my lab environment it works well.
The only difference is that in my lab environment, I am able to perform  ssh < ip address> -p  830, and the production enviroment I am not able as I mentioned above.

You should be able to ssh from DNAC to device on port 830.

what´s prevents it? Firewall?