Solved: Netconf-yang with AAA

rasmus.elmholt · ‎03-22-2023

Hi Everyone

I am enabling netconf on Cat9k switches and want to use a custom AAA group for it and not just the default.

I have the following configuration that works, but want to change it so we use a named group and not the default:

aaa new-model
!
aaa authentication login default group radius local
aaa authorization exec default group radius local 
! 
netconf-yang

!!!!!! Configuration I would like to use:
aaa new-model
!
aaa authentication login AAA_GROUP group radius local
aaa authorization exec AAA_GROUP group radius local 
! 
netconf-yang

But i cannot find any information on how to configure netconf to use a AAA group and not the default.

Sylvain_Che · ‎10-25-2023

Hey,

I faced this issue in the past.

From Programmability Configuration Guide, Cisco IOS XE Bengaluru 17.6.x - NETCONF Protocol [Cisco IOS XE 17] - Cisco, it is clearly stated:

"Only the default AAA authentication login method is supported for the NETCONF protocol."

It was also documented in bug-id CSCvu09830 but somehow I'm not entitled anymore to see it.

Sylvain.

View solution in original post

pieterh · ‎03-23-2023

netconf is a language to pass application information
but basically the transport is SSH especially if you configured
netconf-yang ssh ipv4
NB! some models accept a named ACL others only numbered
also check the IOSx version, here some examples
! e.g. models: ASR1001-X, IE2000, C3750G, C3560G, C3750, IE2000, C891, C3850, C2960, C3560
netconf ssh acl 12
I e.g. models: C3650, C1111, C9300L, ASR1001, C9300, C9500)
netconf-yang ssh ipv4 access-list name netconf_acl

also include
line vty 0 4
authorization exec AAA_GROUP
login authentication AAA_GROUP

rasmus.elmholt · ‎03-28-2023

Hi pieterh

We already have the line vty config you mention, and AAA with the AAA_GROUP works for SSH. But the default is still used for netconf-yang.

line vty 0 4
      authorization exec AAA_GROUP
      login authentication AAA_GROUP

pieterh · ‎03-28-2023

aaa authentication login AAA_GROUP group radius local

-> must this not be ?

aaa authentication login group AAA_GROUP local

but when I read below document => it looks that either Local or TACACS+AAA , but not Radius-AAA can be used
Programmability Configuration Guide, Cisco IOS XE Amsterdam 17.3.x - NETCONF Protocol [Cisco IOS XE 17] - Cisco
If a user authenticates via the public-key; but does not have a corresponding Authentication, Authorization, and Accounting (AAA) configuration, this user is rejected. If a user authenticates via a public-key; but the AAA configuration for NETCONF is using a AAA source other than the local, this user is also rejected. Local and TACACS+ AAA authorization are supported.

rasmus.elmholt · ‎03-29-2023

The comands are correct. I think the order depends on the IOS version.

TST-SW10(config)#aaa authentication login ?     
  WORD     Named authentication list (max 31 characters, longer will be
           rejected).
  default  The default authentication list.

We are not using public-keys for authentication so I don't think that is the issue.

Sylvain_Che · ‎10-25-2023

Hey,

I faced this issue in the past.

From Programmability Configuration Guide, Cisco IOS XE Bengaluru 17.6.x - NETCONF Protocol [Cisco IOS XE 17] - Cisco, it is clearly stated:

"Only the default AAA authentication login method is supported for the NETCONF protocol."

It was also documented in bug-id CSCvu09830 but somehow I'm not entitled anymore to see it.

Sylvain.

rasmus.elmholt · ‎10-26-2023

I am not able to see the bug either.

I guess we don't have a timeframe for when this will be fixed then.

tneuhuber · ‎04-22-2024

Hello PieterH, did you find a solution in the meantime?

For me it looks like "Local and TACACS+ AAA authorization are supported" is wrong, because i have a working AAA config for ssh access, i am running on 17.6.6a.

kind regards

Thomas

MUP0 · ‎11-13-2023

If you are running a newer IOS-XE (can't say as of which version, I couldn't find the below commands in the command line references) and want to use custom method lists for Netconf try these:

yang-interfaces aaa authentication method-list <authMethodListName>
yang-interfaces aaa authorization method-list<authZMethodListName>

And let me know if you find them in the guides

rasmus.elmholt · ‎11-21-2023

Thank you for the reply. The commands does not seems to be in Version 17.6.6a.

MUP0 · ‎11-26-2023

Yeah, i see, it is introduced recently, as i say, but cant tell the exact version.

We are on 17.9.x and it is there. Once I configured these below I could see the authentications going to ISE, before that they were local, since that is where "default" points to - aaa authentication login default local

yang-interfaces aaa authentication method-list <authMethodListName>
yang-interfaces aaa authorization method-list<authZMethodListName>

rasmus.elmholt · ‎11-29-2023

Great info, thank you.

We are still running the 17.6 train, but in the process of upgrading to 17.9 at the moment. I will for sure check it out.