DNAC - Netconf over SSH with AAA

lgalvez100 · ‎07-16-2024

Hey all!,

Im trying to get DNAC to Discover my devices and ICMP, CLI, and SNMP work just fine but NETCONF fails. I´m using default port 830 to discover C9200 and C9300 vía AAA Radius. I just tested the AAA Radius user and I´m able to log in with privilege level 15 but can´t get NETCONF to work on the Discovery. Radius server is only sending Cisco-AV-Pair shell:priv-lvl=15. I´m sharing the relevant config and logs.

Main error is the following:

%SSH-5-SSH2_SESSION: SSH2 Session request from x.x.x.x (tty = 2) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1-96' Succeeded

AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'

%DMI-5-AUTHENTICATION_FAILED: Switch 1 R0/0: dmiauthd: Authentication failure from x.x.x.x:48372 for netconf over ssh.

HNTGEF-02PVT1N6-AS9200L#sh run | sec radius
aaa group server radius TEST
server name TEST
deadtime 2
ip radius source-interface Vlan 7
radius server TEST
address ipv4 x.x.x.x auth-port 1645 acct-port 1646
timeout 120
retransmit 1
key 7 xxxx

HNTGEF-02PVT1N6-AS9200L#sh run | sec aaa
aaa new-model
aaa group server radius TEST
server name TEST
deadtime 2
aaa authentication login default group TEST local
aaa authentication enable default enable
aaa authorization exec default group TEST local
aaa session-id common

Torbjørn · ‎07-16-2024

That should work. Do you get the same result when SSHing manually to port 830?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

ammahend · ‎07-16-2024

Did you configure netconf-yang on the switch ?
as recommended, share if you can ssh on port 830

-hope this helps-