06-26-2023 12:59 PM
Hi there,
I am trying to add our WLC 9800 in DNA Center, but for some reason we're the NETCONF isn't working. NETCONF is already configured on the WLC with the SNMP community is fine until here. When I go to the DNA Center and try to validate the credencials I can see this:
CLI (check mark OK)
SNMP (check mark OK)
NETCONF (X in red color)
As I mentioned before, the NETCONF is configured and to be able to access the WLC we use TACACs throughout Cisco ISE, all of our accounts have the 15 priviledge.
I was able to catch this log on the wlc 9800
%5-authentication failed: chassis 1 R0/0: dmiauthd: Authentication failure for netconf over ssh
And below you can find my configuration about AAA authentication.
aaa new-model
aaa group server tacacs+ SRV_Tacacs
server name Serv_Tacacs_172.16.21.11
server name Serv_Tacacs_172.21.11.11
aaa authentication login default local
aaa authentication login Tacacs-authentication group SRV_Tacacs local
aaa authorization exec Tacacs-authorization group SRV_Tacacs if-authenticated
aaa authorization network default local
aaa accounting exec Tacacs_Authorization_Accounting start-stop group SRV_Tacacs
!
!
aaa session-id common
ip http authentication aaa login-authentication Tacacs-authentication
ip http authentication aaa exec-authorization Tacacs-authorization
commands configure include aaa attribute list
commands configure include aaa attribute
commands configure include aaa
commands exec include show aaa local
commands exec include show aaa
wireless aaa policy default-aaa-policy
aaa-override
I am not sure if I have to add or modify something else on ISE side or on the WLC.
Any thought?
Thanks in advance
06-26-2023 01:18 PM - edited 06-26-2023 01:20 PM
I think NETCONF has limitation where is only works with "default" AAA method lists for login and authorization, make sure you are only using default method list and not others, give it a try. Share result after change.
06-26-2023 01:40 PM
Hi
For first setup, you need to use local auth
aaa authentication login default local
aaa authorization exec default local
06-27-2023 09:22 AM
Hi,
Let see if I understood, what I have to do is remove my tacacs configuration and use the local auth, then reconfigure the tacacs authentication, is it?
06-27-2023 09:36 AM
Yeah, for discovery use only local. Then, after discovery you can push the proper tacacs config to device during the provisioning
06-27-2023 11:47 AM
Ok gotcha, I will go ahead and will modify the tacacs config, I will put the aaa local and finally add again the tacacs config.
I come back tomorrow and I will put it here my inputs.
11-29-2024 06:13 AM
Is it work? remove tacacs configuration, and use only local for discovery process then add again tacacs config?
11-21-2024 01:42 AM
Did you fix this issue by adding the local authentication ? could you please update the status here ? I am also facing the same issue
11-23-2024 11:22 AM
As already provided, you can directly go to the :https://community.cisco.com/t5/cisco-catalyst-center/9800-wlc-netconf-failing-with-dna/td-p/4554567 to resolve your issue.
11-29-2024 06:12 AM
Im facing the same issue as well, and I already did:
add aaa login default local:
aaa authentication login default group ISE-Tacacs+ local
aaa authentication login Tacacs-Auth local group ISE-Tacacs+
aaa authorization exec default group ISE-Tacacs+ local
aaa authorization exec Tacacs-Autho local group ISE-Tacacs+
My vtys line:
line vty 0 4
authorization exec Tacacs-Autho
accounting exec Tacacs-Autho-VTY
logging synchronous
login authentication Tacacs-Auth
length 0
transport input ssh
line vty 5 15
authorization exec Tacacs-Autho
accounting exec Tacacs-Autho-VTY
logging synchronous
login authentication Tacacs-Auth
transport input ssh
in wlc logs:
%DMI-5-AUTHENTICATION_FAILED: Chassis 1 R0/0: dmiauthd: Authentication failure from X.X.X.X:32568 for netconf over ssh.
Netconf still not working
11-29-2024 11:15 AM
In order for this to work, you need
authorization exec default
on your vty lines.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide