Hello @michael.busch67,
Your current AAA implementation sounds very effective in terms of minimizing password need.
However, can you please clarify which passwords you want to go away from?
After a switch is discovered from DNAC, a device certificate is generated and pushed to the device. You can check the device certificates on System -> Settings -> Device Certificate.
Other than that, both DNAC and devices support the use of keys. However, the communication between DNAC and switches does not require passwords manually and it's performed automatically. If by going passwordless you also mean to delete device credentials, it's not a best practices approach for many reasons.
For example, device discovery from DNAC requires at least CLI and SNMP credentials which are normally configured globally (Design -> Network Settings -> Device Credentials). If you are using Device Controllability, many settings (including global credentials) are going to be frequently pushed to devices, so deleting credentials after discovering devices will not work.
Also, AAA configuration is pushed to the switches after they are provisioned, so please ensure that your switches are under provisioned state.
Please use this link for more information regarding DNAC Authentication and Policy Servers.
If you need more help please reply to this thread.
If you find my reply solved your question, kindly click the 'Accept as Solution' button and vote it as helpful.
Kind Regards,
Nikolas