Joe and I have been working on this issue.  Here is the code we are sending.

curl -k -v -X PATCH https:/x.x.x.x/restconf//data/Cisco-IOS-XE-native:native/object-group/Cisco-IOS-XE-object-group:network=blacklist_sources/obj-Mode-config-network-group/host -H 'Content-Type: application/yang-data+json' --user "admin:admin" --data '{"host":[{"ipv4-host":"1.2.3.4”}]}'

This is the part of the response we get from the server. 

> User-Agent: curl/7.29.0
> Host: 10.4.37.168
> Accept: */*
> Content-Type: application/yang-data+json
> Content-Length: 36
>
* upload completely sent off: 36 out of 36 bytes
< HTTP/1.1 401 Unauthorized
< Server: openresty
< Date: Thu, 26 Jan 2023 22:07:41 GMT
< Content-Type: application/yang-data+json
< Transfer-Encoding: chunked
< Connection: keep-alive
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="restconf"
< Vary: Accept-Encoding
<
{
"errors": {
"error": [
{
"error-tag": "access-denied",
"error-type": "protocol"
}
]
}
}

It is important to note that the account is able to make changes on the router, just not using RESTCONF.

Per company policy, we cannot setup a local account.  We are looking to go to production with this, so we want to mirror whatever we do in a Dev environment.  

I have attached our running config.  

Are you using a priv level 15 user with the restconf call?

Yes.  This user is able to make changes when I SSH to the router itself and has the proper priv level set.  We are seeing a 401 unauthorized seems to be that it is not using AAA authentication with making the restconf call.  

I should of asked does the user have to go through the "enable" process when you ssh to the device?   Restconf does not have an enable process so the user needs to have priv-level=15 in the TACACS server.   The error message looks like authorization fail rather than authentication.

Yes that is correct.  I have to go through enable when I SSH to the server.  Joe was seeing failed authentications on his end in the TACACS+ logs and a 401 does correlate with failed authentication.  That is why I thinking it was thought.  However, if restconf does not go through the enable process, that is likely the issue.  I will have Joe verify that the priv-level=15 is assigned to the user and respond back.

ISE shows authentication failed, we never get to the authorization policy. 

Agree it is authentication problem.  I have it replicated in my lab by using bogus credentials.  Using correct credentials for user with priv-level=15 does give the intended output.   Do you have a priv-level=15 user:pass of admin:admin  in the TACACS server?

[root@Raggedtooth ~]# curl -k -v -X GET -u sdfsdf:sdfgrf1940 -H 'accept: application/yang-data+json' "https://192.168.0.20/restconf/data/openconfig-interfaces:interfaces/interface=GigabitEthernet2"
* About to connect() to 192.168.0.20 port 443 (#0)
*   Trying 192.168.0.20...
* Connected to 192.168.0.20 (192.168.0.20) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=IOS-Self-Signed-Certificate-3836444455
* 	start date: Feb 06 02:19:33 2022 GMT
* 	expire date: Feb 06 02:19:33 2032 GMT
* 	common name: IOS-Self-Signed-Certificate-3836444455
* 	issuer: CN=IOS-Self-Signed-Certificate-3836444455
* Server auth using Basic with user 'sdfsdf'
> GET /restconf/data/openconfig-interfaces:interfaces/interface=GigabitEthernet2 HTTP/1.1
> Authorization: Basic c2Rmc2RmOnNkZmdyZjE5NDA=
> User-Agent: curl/7.29.0
> Host: 192.168.0.20
> accept: application/yang-data+json
> 
< HTTP/1.1 401 Unauthorized
< Server: openresty
< Date: Fri, 27 Jan 2023 20:30:22 GMT
< Content-Type: application/yang-data+json
< Transfer-Encoding: chunked
< Connection: keep-alive
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="restconf"
< Vary: Accept-Encoding
< 
{
  "errors": {
    "error": [
      {
        "error-tag": "access-denied",
        "error-type": "protocol"
      }
    ]
  }
}

[root@Raggedtooth ~]# curl -k -v -X GET -u dafrey:xxxxxx -H 'accept: application/yang-data+json' "https://192.168.0.20/restconf/data/openconfig-interfaces:interfaces/interface=GigabitEthernet2"
* About to connect() to 192.168.0.20 port 443 (#0)
*   Trying 192.168.0.20...
* Connected to 192.168.0.20 (192.168.0.20) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=IOS-Self-Signed-Certificate-3836444455
* 	start date: Feb 06 02:19:33 2022 GMT
* 	expire date: Feb 06 02:19:33 2032 GMT
* 	common name: IOS-Self-Signed-Certificate-3836444455
* 	issuer: CN=IOS-Self-Signed-Certificate-3836444455
* Server auth using Basic with user 'dafrey'
> GET /restconf/data/openconfig-interfaces:interfaces/interface=GigabitEthernet2 HTTP/1.1
> Authorization: Basic ZGFmcmV5OmdyZjE5NDA=
> User-Agent: curl/7.29.0
> Host: 192.168.0.20
> accept: application/yang-data+json
> 
< HTTP/1.1 200 OK
< Server: openresty
< Date: Fri, 27 Jan 2023 20:29:38 GMT
< Content-Type: application/yang-data+json
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
< Pragma: no-cache
< 
{
  "openconfig-interfaces:interface": {
    "name": "GigabitEthernet2",
    "config": {
      "name": "GigabitEthernet2",
      "type": "iana-if-type:ethernetCsmacd",
      "description": "link to CloudGW",
      "enabled": true
    },
    "state": {
      "name": "GigabitEthernet2",
      "type": "iana-if-type:ethernetCsmacd",
      "description": "link to CloudGW",
<truncate>

I was wrong, we do not have to use an enable password.  The user is privilege level 15.

ASR-API-TEST#show privilege
Current privilege level is 15  

 -  Try a local account for  restconf , 

 M.