03-22-2023 06:27 AM
Hi Everyone
I am enabling netconf on Cat9k switches and want to use a custom AAA group for it and not just the default.
I have the following configuration that works, but want to change it so we use a named group and not the default:
aaa new-model
!
aaa authentication login default group radius local
aaa authorization exec default group radius local
!
netconf-yang
!!!!!! Configuration I would like to use:
aaa new-model
!
aaa authentication login AAA_GROUP group radius local
aaa authorization exec AAA_GROUP group radius local
!
netconf-yang
But i cannot find any information on how to configure netconf to use a AAA group and not the default.
Solved! Go to Solution.
10-25-2023 06:59 AM
Hey,
I faced this issue in the past.
From Programmability Configuration Guide, Cisco IOS XE Bengaluru 17.6.x - NETCONF Protocol [Cisco IOS XE 17] - Cisco, it is clearly stated:
"Only the default AAA authentication login method is supported for the NETCONF protocol."
It was also documented in bug-id CSCvu09830 but somehow I'm not entitled anymore to see it.
Sylvain.
03-23-2023 06:34 AM - edited 03-23-2023 06:38 AM
netconf is a language to pass application information
but basically the transport is SSH especially if you configured
netconf-yang ssh ipv4
NB! some models accept a named ACL others only numbered
also check the IOSx version, here some examples
! e.g. models: ASR1001-X, IE2000, C3750G, C3560G, C3750, IE2000, C891, C3850, C2960, C3560
netconf ssh acl 12
I e.g. models: C3650, C1111, C9300L, ASR1001, C9300, C9500)
netconf-yang ssh ipv4 access-list name netconf_acl
also include
line vty 0 4
authorization exec AAA_GROUP
login authentication AAA_GROUP
03-28-2023 12:39 AM
Hi pieterh
We already have the line vty config you mention, and AAA with the AAA_GROUP works for SSH. But the default is still used for netconf-yang.
line vty 0 4
authorization exec AAA_GROUP
login authentication AAA_GROUP
03-28-2023 07:57 AM
aaa authentication login AAA_GROUP group radius local
-> must this not be ?
aaa authentication login group AAA_GROUP local
but when I read below document => it looks that either Local or TACACS+AAA , but not Radius-AAA can be used
Programmability Configuration Guide, Cisco IOS XE Amsterdam 17.3.x - NETCONF Protocol [Cisco IOS XE 17] - Cisco
If a user authenticates via the public-key; but does not have a corresponding Authentication, Authorization, and Accounting (AAA) configuration, this user is rejected. If a user authenticates via a public-key; but the AAA configuration for NETCONF is using a AAA source other than the local, this user is also rejected. Local and TACACS+ AAA authorization are supported.
03-29-2023 12:36 AM
The comands are correct. I think the order depends on the IOS version.
TST-SW10(config)#aaa authentication login ?
WORD Named authentication list (max 31 characters, longer will be
rejected).
default The default authentication list.
We are not using public-keys for authentication so I don't think that is the issue.
10-25-2023 06:59 AM
Hey,
I faced this issue in the past.
From Programmability Configuration Guide, Cisco IOS XE Bengaluru 17.6.x - NETCONF Protocol [Cisco IOS XE 17] - Cisco, it is clearly stated:
"Only the default AAA authentication login method is supported for the NETCONF protocol."
It was also documented in bug-id CSCvu09830 but somehow I'm not entitled anymore to see it.
Sylvain.
10-26-2023 06:24 AM
I am not able to see the bug either.
I guess we don't have a timeframe for when this will be fixed then.
11-13-2023 03:33 AM - edited 11-13-2023 03:34 AM
If you are running a newer IOS-XE (can't say as of which version, I couldn't find the below commands in the command line references) and want to use custom method lists for Netconf try these:
yang-interfaces aaa authentication method-list <authMethodListName>
yang-interfaces aaa authorization method-list<authZMethodListName>
And let me know if you find them in the guides
11-21-2023 06:51 AM
Thank you for the reply. The commands does not seems to be in Version 17.6.6a.
11-26-2023 07:35 AM
Yeah, i see, it is introduced recently, as i say, but cant tell the exact version.
We are on 17.9.x and it is there. Once I configured these below I could see the authentications going to ISE, before that they were local, since that is where "default" points to - aaa authentication login default local
yang-interfaces aaa authentication method-list <authMethodListName>
yang-interfaces aaa authorization method-list<authZMethodListName>
11-29-2023 03:40 AM
Great info, thank you.
We are still running the 17.6 train, but in the process of upgrading to 17.9 at the moment. I will for sure check it out.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: