Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2395
Views
0
Helpful
5
Replies

NETCONF isn't working with DNAC + WLC 9800 + TACACs auth,autho

Scott12
Level 1
Level 1

‎06-26-2023 12:59 PM

Hi there,

I am trying to add our WLC 9800 in DNA Center, but for some reason we're the NETCONF isn't working. NETCONF is already configured on the WLC with the SNMP community is fine until here. When I go to the DNA Center and try to validate the credencials I can see this:

CLI (check mark OK)
SNMP (check mark OK)
NETCONF (X in red color)

As I mentioned before, the NETCONF is configured and to be able to access the WLC we use TACACs throughout Cisco ISE, all of our accounts have the 15 priviledge.

I was able to catch this log on the wlc 9800

%5-authentication failed: chassis 1 R0/0: dmiauthd: Authentication failure for netconf over ssh

And below you can find my configuration about AAA authentication.


aaa new-model
aaa group server tacacs+ SRV_Tacacs
server name Serv_Tacacs_172.16.21.11
server name Serv_Tacacs_172.21.11.11
aaa authentication login default local
aaa authentication login Tacacs-authentication group SRV_Tacacs local
aaa authorization exec Tacacs-authorization group SRV_Tacacs if-authenticated
aaa authorization network default local
aaa accounting exec Tacacs_Authorization_Accounting start-stop group SRV_Tacacs
!
!
aaa session-id common
ip http authentication aaa login-authentication Tacacs-authentication
ip http authentication aaa exec-authorization Tacacs-authorization
commands configure include aaa attribute list
commands configure include aaa attribute
commands configure include aaa
commands exec include show aaa local
commands exec include show aaa
wireless aaa policy default-aaa-policy
aaa-override

I am not sure if I have to add or modify something else on ISE side or on the WLC.

Any thought?

Thanks in advance

0 Helpful
5 Replies 5

ammahend
VIP
VIP

‎06-26-2023 01:18 PM - edited ‎06-26-2023 01:20 PM

I think NETCONF has limitation where is only works with "default" AAA method lists for login and authorization, make sure you are only using default method list and not others, give it a try. Share result after change.

-hope this helps-
0 Helpful

Flavio Miranda
VIP
VIP

‎06-26-2023 01:40 PM

Hi

  https://community.cisco.com/t5/cisco-digital-network-architecture-dna/9800-wlc-netconf-failing-with-dna/td-p/4554567

For first setup, you need to use local auth

aaa authentication login default local

aaa authorization exec default local

0 Helpful

Scott12
Level 1
Level 1
In response to Flavio Miranda

‎06-27-2023 09:22 AM

Hi,

Let see if I understood, what I have to do is remove my tacacs configuration and use the local auth, then reconfigure the tacacs authentication, is it?

0 Helpful

Flavio Miranda
VIP
VIP
In response to Scott12

‎06-27-2023 09:36 AM

Yeah, for discovery use only local. Then, after discovery you can push the proper  tacacs config to device during the provisioning

0 Helpful

Scott12
Level 1
Level 1
In response to Flavio Miranda

‎06-27-2023 11:47 AM

Ok gotcha, I will go ahead and will modify the tacacs config, I will put the aaa local and finally add again the tacacs config.

I come back tomorrow and I will put it here my inputs.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card