Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2905
Views
0
Helpful
3
Replies

DNAC - Netconf over SSH with AAA

lgalvez100
Community Member

‎07-16-2024 04:10 PM

Hey all!,

Im trying to get DNAC to Discover my devices and ICMP, CLI, and SNMP work just fine but NETCONF fails. I´m using default port 830 to discover C9200 and C9300 vía AAA Radius. I just tested the AAA Radius user and I´m able to log in with privilege level 15 but can´t get NETCONF to work on the Discovery. Radius server is only sending Cisco-AV-Pair shell:priv-lvl=15. I´m sharing the relevant config and logs.

Main error is the following:

%SSH-5-SSH2_SESSION: SSH2 Session request from x.x.x.x (tty = 2) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1-96' Succeeded

AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'


%DMI-5-AUTHENTICATION_FAILED: Switch 1 R0/0: dmiauthd: Authentication failure from x.x.x.x:48372 for netconf over ssh.

HNTGEF-02PVT1N6-AS9200L#sh run | sec radius
aaa group server radius TEST
server name TEST
deadtime 2
ip radius source-interface Vlan 7
radius server TEST
address ipv4 x.x.x.x auth-port 1645 acct-port 1646
timeout 120
retransmit 1
key 7 xxxx


HNTGEF-02PVT1N6-AS9200L#sh run | sec aaa
aaa new-model
aaa group server radius TEST
server name TEST
deadtime 2
aaa authentication login default group TEST local
aaa authentication enable default enable
aaa authorization exec default group TEST local
aaa session-id common

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Torbjørn
VIP
VIP

‎07-16-2024 04:26 PM

That should work. Do you get the same result when SSHing manually to port 830? 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Ambuj M
VIP
VIP

‎07-16-2024 04:48 PM

Did you configure netconf-yang on the switch ? 
as recommended, share if you can ssh on port 830 

-hope this helps-
0 Helpful

NathanNielsen2282
Level 1
Level 1

‎10-14-2025 09:51 AM

You need to have a local user configured that matches the service account dnac is using to login to your devices.

On IOS-XE, the NETCONF subsystem uses the default AAA method list, not the VTY list. So plain SSH can succeed while NETCONF over SSH fails with dmiauthd if aaa authentication login default (and often authorization exec) aren’t set to use local (or your TACACS/RADIUS).

0 Helpful
Customers Also Viewed These Support Documents