NETCONF AAA

dudster83 · ‎12-30-2024

Hi

It's a while I've been searching for answers regarding the ability of ISE to authorize NETCONF session, as well the ability to locate configuration changes that were made via NETCONF just like any other CLI config changes.

I'm guessing any configuration management system that take snapshot of the configuration in a configured timeframe can show before and after changes, but my concern with automation is that I need some kind of an audit capability for each interaction with an end device, without having to log it on the application side.

Flavio Miranda · ‎12-30-2024

@dudster83

Regarding your first request. I believe this link answer you question.

https://developer.cisco.com/docs/ios-xe/ios-xe-aaa-integration-with-netconf-and-restconf/#xconf-aaa

Now, this part is not clear

"as well the ability to locate configuration changes that were made via NETCONF just like any other CLI config changes."

Are you still referring to ISE?

dudster83 · ‎01-01-2025

Hi Flavio

Thanks for the comment, from the answer I understand that there's a possibility to authenticate and authorize netconf user with tacacs+ (ISE)

Regarding the 2nd question, I want to make sure that there's a possibility to perform accounting on all config changes made by netconf sessions, for my scenario - yes, with ISE.

Is it possible to run a report on ISE and see what changes were made by the netconf RPC? or even without config changes, what was queried by ncclient? does the device keep record of what was performed by netconf? (ISE or even the local router)