cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3328
Views
4
Helpful
10
Replies

Netconf-yang with AAA

rasmus.elmholt
Level 7
Level 7

Hi Everyone

I am enabling netconf on Cat9k switches and want to use a custom AAA group for it and not just the default.

I have the following configuration that works, but want to change it so we use a named group and not the default:

aaa new-model
!
aaa authentication login default group radius local
aaa authorization exec default group radius local 
! 
netconf-yang

!!!!!! Configuration I would like to use:
aaa new-model
!
aaa authentication login AAA_GROUP group radius local
aaa authorization exec AAA_GROUP group radius local 
! 
netconf-yang

 But i cannot find any information on how to configure netconf to use a AAA group and not the default.

1 Accepted Solution

Accepted Solutions

Hey,

I faced this issue in the past.

From Programmability Configuration Guide, Cisco IOS XE Bengaluru 17.6.x - NETCONF Protocol [Cisco IOS XE 17] - Cisco, it is clearly stated:

"Only the default AAA authentication login method is supported for the NETCONF protocol."

It was also documented in bug-id CSCvu09830 but somehow I'm not entitled anymore to see it.

Sylvain.

View solution in original post

10 Replies 10

pieterh
VIP
VIP

netconf is a language to pass application information
but basically the transport is SSH especially if you configured
     netconf-yang ssh ipv4 
NB! some models accept a named ACL others only numbered
also check the IOSx version, here some examples 
     ! e.g. models: ASR1001-X, IE2000, C3750G, C3560G, C3750, IE2000, C891, C3850, C2960, C3560
     netconf ssh acl 12
     I e.g. models: C3650, C1111, C9300L, ASR1001, C9300, C9500) 
     netconf-yang ssh ipv4 access-list name netconf_acl

also include
     line vty 0 4
      authorization exec AAA_GROUP
      login authentication AAA_GROUP

Hi pieterh

We already have the line vty config you mention, and AAA with the AAA_GROUP works for SSH. But the default is still used for netconf-yang.

line vty 0 4
      authorization exec AAA_GROUP
      login authentication AAA_GROUP

aaa authentication login AAA_GROUP group radius local

-> must this not be ?

aaa authentication login group AAA_GROUP local


but when I read below document  => it looks that either Local or TACACS+AAA , but not Radius-AAA can be used
Programmability Configuration Guide, Cisco IOS XE Amsterdam 17.3.x - NETCONF Protocol [Cisco IOS XE 17] - Cisco
If a user authenticates via the public-key; but does not have a corresponding Authentication, Authorization, and Accounting (AAA) configuration, this user is rejected. If a user authenticates via a public-key; but the AAA configuration for NETCONF is using a AAA source other than the local, this user is also rejected. Local and TACACS+ AAA authorization are supported.


The comands are correct. I think the order depends on the IOS version.

TST-SW10(config)#aaa authentication login ?     
  WORD     Named authentication list (max 31 characters, longer will be
           rejected).
  default  The default authentication list.

We are not using public-keys for authentication so I don't think that is the issue.

 

Hey,

I faced this issue in the past.

From Programmability Configuration Guide, Cisco IOS XE Bengaluru 17.6.x - NETCONF Protocol [Cisco IOS XE 17] - Cisco, it is clearly stated:

"Only the default AAA authentication login method is supported for the NETCONF protocol."

It was also documented in bug-id CSCvu09830 but somehow I'm not entitled anymore to see it.

Sylvain.

I am not able to see the bug either.

I guess we don't have a timeframe for when this will be fixed then.

MUP0
Level 1
Level 1

If you are running a newer IOS-XE (can't say as of which version, I couldn't find the below commands in the command line references) and want to use custom method lists for Netconf try these:

yang-interfaces aaa authentication method-list <authMethodListName>
yang-interfaces aaa authorization method-list<authZMethodListName>

And let me know if you find them in the guides

Thank you for the reply. The commands does not seems to be in Version 17.6.6a.

Yeah, i see, it is introduced recently, as i say, but cant tell the exact version.

We are on 17.9.x and it is there. Once I configured these below I could see the authentications going to ISE, before that they were local, since that is where "default" points to - aaa authentication login default local

yang-interfaces aaa authentication method-list <authMethodListName>
yang-interfaces aaa authorization method-list<authZMethodListName>

Great info, thank you.

We are still running the 17.6 train, but in the process of upgrading to 17.9 at the moment. I will for sure check it out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco