Re: Netconf Authentication Failure

matthew.goli1 · ‎12-18-2025

Hello,

I am working on a new deployment of Catalyst Center 2.3.7.10 and the new Catalyst 9350 switches. I have used PNP to onboard the switch to catalyst center, assigned hte switch to a site and then provisioned the device which pushed down the intent config with the ISE TACACS and radius server settings. Since the intent configuration forces the SSH authentication to authenticate against ISE, i switched the credentials for the device in my inventory to use the global pre-defined service account for ISE to SSH to the device.

After making that switch, catalyst center reports the Manageability of that device is in a warning state and the message states "Netconf Authentication Failure"
###############################

Reason and Suggested Actions

Netconf Authentication Failure : NCIM12030: Netconf connection could not be established to the device. Note that If it is desired to enable AAA by configuring ''aaa new-model'' then ''aaa authorization exec default local'' configuration is also required at a minimum on device. Also confirm in Catalyst Center that correct user credentials are provided while discovering or adding the device. You can ensure correct user credentials are available in global credentials or in discovery job and run discovery again. You can also update the credentials of the device using update credentials option.

Impacted Applications (1)

Network Settings

###############################

the switch running configuration has the following two lines set:
aaa authentication login default local

aaa authorization exec default local

which from my understanding is the netconf authentication will use a local user on the switch. in order for netconf to authenticate using the TACACS servers, then we must change those lines to read:

aaa authentication login default group dnac-network-tacacs-group local
aaa authorization exec default group dnac-network-tacacs-group local if-authenticated

but after changing these lines of config, Catalyst center now reports that the devices are out of compliance for these two lines of config.

After a couple config syncs and provisioning again, Catalyst center reverts these two lines of config back to its default.

pieterh · ‎12-27-2025

>>> which pushed down the intent config with the ISE TACACS and radius server settings.<<<
I belief this is not correct,
you do not configure this in the switches config/template, you define this Globally in DNAC
and it is allready configured in the switch during on-boarding / PnP before the specific config is pushed
-> I suggest to remove those lines from the template, not change them

LFR Admins · ‎01-06-2026

Hello @matthew.goli1

I had the same issue on some C9300 switches running version 17.12.4, but not all of them. Upgrade to 17.12.5/17.12.6 fixed it.

matthew.goli1 · ‎01-15-2026

Hey everyone, i forgot i had posted about this issue.

i was researching a different problem and came across these two lines of config that instruct netconf-yang to use the different method lists. lines are:

yang-interfaces aaa authentication method-list VTY_authen

yang-interfaces aaa authorization method-list VTY_author

I found these in a slide deck from cisco live session BRKOPS-2697 (https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2025/pdf/BRKOPS-2697.pdf)

jaheshkhan · ‎05-20-2026

i tried these. it still failed that

aaa authentication login NETCONF-AUTHN local
aaa authorization exec NETCONF-AUTHR local if-authenticated

yang-interfaces aaa authentication method-list NETCONF-AUTHN
yang-interfaces aaa authorization method-list NETCONF-AUTHR

my version is 17.15.05

aleabrahao · ‎05-20-2026

I don't know all your settings, but if you're using TACACS for authentication, leave your configuration like this:

aaa authentication login default group dnac-network-tacacs-group local
aaa authorization exec default group dnac-network-tacacs-group local if-authenticated

If possible, you can also create a local user with privilege 15.

username dnac_admin privilege 15 secret <password>

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

aleabrahao · ‎05-20-2026

Or you can try this.

aaa authentication login NETCONF-AUTHN group dnac-network-tacacs-group local
aaa authorization exec NETCONF-AUTHR group dnac-network-tacacs-group local if-authenticated

yang-interfaces aaa authentication method-list NETCONF-AUTHN
yang-interfaces aaa authorization method-list NETCONF-AUTHR

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

jaheshkhan · ‎05-20-2026

i dont want to use default. default is already in use for VTY. i dont want to mess up with that at this moment. thats why netconf im trying custom method list. i have one switch where it is using default and local. its working fine.

for your information i dont have TACACS i dont want to use that . i want to use local username and password now as the first option

aleabrahao · ‎05-20-2026

Ensure NETCONF is enabled correctly.

netconf-yang

Configure this way:

aaa authentication login NETCONF-AUTHN local
aaa authorization exec NETCONF-AUTHR local if-authenticated

yang-interfaces aaa authentication method-list NETCONF-AUTHN
yang-interfaces aaa authorization method-list NETCONF-AUTHR

Bind VTY for NETCONF fallback:

line vty 0 4
login authentication NETCONF-AUTHN
authorization exec NETCONF-AUTHR

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

pieterh · ‎05-20-2026

NETCONF-AUTHN and NETCONF-AUTHR are alo included in you "line vty ...." configuration ( not only default)?

from the same document you refer to:
line vty<x> <y> ! reserver some numbers (0 4) for ssh access and other vty numbers (like 5 10?) for netconf
authorization exec NETCONF-AUTHR
author login authentication NETCONF-AUTHN

jaheshkhan · ‎05-20-2026

its not included in line vty

pieterh · ‎05-20-2026

then that could be the cause of your problems

NETCONF over SSH uses virtual terminal lines

I read your other post abaout vty 95 98
strange that didn't work?
but.... to my memory, you need to use consequtive numbers (not jump from 15 to 95!) but I could be wrong here.
I also recall you need to reserve more than 4 lines (I'll search if i can find that info)

jaheshkhan · ‎05-20-2026

this is how it is

line vty 0 4
access-class SSH-New in
exec-timeout 15 0
logging synchronous level all
history size 256
transport preferred none
transport input ssh
transport output none

line vty 5 15
access-class SSH-New in
exec-timeout 15 0
logging synchronous level all
history size 256
transport preferred none
transport input ssh
transport output none

line vty 16 94
access-class SSH-New in
exec-timeout 15 0
logging synchronous level all
history size 256
transport input ssh
transport output none

line vty 95 98
exec-timeout 15 0
authorization exec NETCONF-AUTHR
logging synchronous level all
login authentication NETCONF-AUTHN
history size 256
transport input ssh
transport output ssh

aaa new-model
aaa group server radius RADSERVER
aaa authentication banner ^CCC
aaa authentication login default group RADSERVER line local
aaa authentication login CONSOLE local group RADSERVER

aaa authentication login NETCONF-AUTHN local

aaa authorization console
aaa authorization config-commands
aaa authorization exec default group RADSERVER local none
aaa authorization exec CONSOLE local group RADSERVER

aaa authorization exec NETCONF-AUTHR local if-authenticated

aaa authorization commands 15 CONSOLE local group RADSERVER

aaa authorization network default group RADSERVER
aaa authorization auth-proxy default group RADSERVER

aaa accounting auth-proxy default start-stop group RADSERVER
aaa accounting exec default start-stop group TACSERVER
aaa accounting network default start-stop group TACSERVER
aaa session-id common

yang-interfaces aaa authentication method-list NETCONF-AUTHN
yang-interfaces aaa authorization method-list NETCONF-AUTHR

jaheshkhan · ‎05-20-2026

i tried
sh run | s line vty 95 98
line vty 95 98
exec-timeout 15 0
authorization exec NETCONF-AUTHR
logging synchronous level all
login authentication NETCONF-AUTHN
history size 256
transport input ssh
transport output ssh

but again failing

aleabrahao · ‎05-20-2026

Look, excuse my ignorance, but how are you going to force a connection from vty 95 to vty 98?

It's rather unlikely that you have so many simultaneous connections.

I don't know all the variables in your environment, so I suggest you read this article:

https://ipcisco.com/lesson/cisco-netconf-configuration/

If you are still having problems, I suggest you work with the TAC.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.