Re: Netconf Authentication Failure - Page 2

matthew.goli1 · ‎12-18-2025

Hello,

I am working on a new deployment of Catalyst Center 2.3.7.10 and the new Catalyst 9350 switches. I have used PNP to onboard the switch to catalyst center, assigned hte switch to a site and then provisioned the device which pushed down the intent config with the ISE TACACS and radius server settings. Since the intent configuration forces the SSH authentication to authenticate against ISE, i switched the credentials for the device in my inventory to use the global pre-defined service account for ISE to SSH to the device.

After making that switch, catalyst center reports the Manageability of that device is in a warning state and the message states "Netconf Authentication Failure"
###############################

Reason and Suggested Actions

Netconf Authentication Failure : NCIM12030: Netconf connection could not be established to the device. Note that If it is desired to enable AAA by configuring ''aaa new-model'' then ''aaa authorization exec default local'' configuration is also required at a minimum on device. Also confirm in Catalyst Center that correct user credentials are provided while discovering or adding the device. You can ensure correct user credentials are available in global credentials or in discovery job and run discovery again. You can also update the credentials of the device using update credentials option.

Impacted Applications (1)

Network Settings

###############################

the switch running configuration has the following two lines set:
aaa authentication login default local

aaa authorization exec default local

which from my understanding is the netconf authentication will use a local user on the switch. in order for netconf to authenticate using the TACACS servers, then we must change those lines to read:

aaa authentication login default group dnac-network-tacacs-group local
aaa authorization exec default group dnac-network-tacacs-group local if-authenticated

but after changing these lines of config, Catalyst center now reports that the devices are out of compliance for these two lines of config.

After a couple config syncs and provisioning again, Catalyst center reverts these two lines of config back to its default.

jaheshkhan · ‎05-20-2026

this one i already verified. already had sessoin with TAC. TAC was telling it only will work with TACACs server. but i have one switch with default iwth local account . its working fine . but rest of them all are set with radius authentication even for ssh to the switch. but its not working for me.

pieterh · ‎05-21-2026

the command "logging synchronous level all" on vty lines 95 98 sound strange to me?
you don't want the netconf communication to receive all logging do you?
-> this produces many unexpected responses to the process that issues the netconf command.
I'm not sure it gets in the way, but try removing this and lets see the result.

jaheshkhan · ‎05-21-2026

as i mentioned the working switch has the same configuration. This is the one. but it uses default with local authentication.

line vty 0 4
access-class SSH in
exec-timeout 15 0
logging synchronous level all
history size 256
transport input ssh
transport output ssh

jaheshkhan · ‎05-21-2026

i tried as you mentioned but it didnt work. i have doubt in some configuration makes this not working it seems

pieterh · ‎05-24-2026

the message "Netconf Authentication Failure" is on the Catalyst Center
1) what message occurs in the switch logging ?
2) if ISE is forcing use of SSH -> check your ISE settings
netconf is using SSH protocol, but not on default SSH port 22
commonly netconf uses port 630.