cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2841
Views
0
Helpful
10
Replies

NETCONF isn't working with DNAC + WLC 9800 + TACACs auth,autho

Scott12
Level 1
Level 1

Hi there,

I am trying to add our WLC 9800 in DNA Center, but for some reason we're the NETCONF isn't working. NETCONF is already configured on the WLC with the SNMP community is fine until here. When I go to the DNA Center and try to validate the credencials I can see this:

CLI (check mark OK)
SNMP (check mark OK)
NETCONF (X in red color)

As I mentioned before, the NETCONF is configured and to be able to access the WLC we use TACACs throughout Cisco ISE, all of our accounts have the 15 priviledge.

I was able to catch this log on the wlc 9800

%5-authentication failed: chassis 1 R0/0: dmiauthd: Authentication failure for netconf over ssh

And below you can find my configuration about AAA authentication.


aaa new-model
aaa group server tacacs+ SRV_Tacacs
server name Serv_Tacacs_172.16.21.11
server name Serv_Tacacs_172.21.11.11
aaa authentication login default local
aaa authentication login Tacacs-authentication group SRV_Tacacs local
aaa authorization exec Tacacs-authorization group SRV_Tacacs if-authenticated
aaa authorization network default local
aaa accounting exec Tacacs_Authorization_Accounting start-stop group SRV_Tacacs
!
!
aaa session-id common
ip http authentication aaa login-authentication Tacacs-authentication
ip http authentication aaa exec-authorization Tacacs-authorization
commands configure include aaa attribute list
commands configure include aaa attribute
commands configure include aaa
commands exec include show aaa local
commands exec include show aaa
wireless aaa policy default-aaa-policy
aaa-override

I am not sure if I have to add or modify something else on ISE side or on the WLC.

Any thought?

Thanks in advance

10 Replies 10

ammahend
VIP
VIP

I think NETCONF has limitation where is only works with "default" AAA method lists for login and authorization, make sure you are only using default method list and not others, give it a try. Share result after change.

-hope this helps-

Hi

  https://community.cisco.com/t5/cisco-digital-network-architecture-dna/9800-wlc-netconf-failing-with-dna/td-p/4554567

For first setup, you need to use local auth

aaa authentication login default local

aaa authorization exec default local

Hi,

Let see if I understood, what I have to do is remove my tacacs configuration and use the local auth, then reconfigure the tacacs authentication, is it?

Yeah, for discovery use only local. Then, after discovery you can push the proper  tacacs config to device during the provisioning

Ok gotcha, I will go ahead and will modify the tacacs config, I will put the aaa local and finally add again the tacacs config.

I come back tomorrow and I will put it here my inputs.

Is it work? remove tacacs configuration, and use only local for discovery process then add again tacacs config?

Did you fix this issue by adding the local authentication ? could you please update the status here ? I am also facing the same issue 

As already provided, you can directly go to the :https://community.cisco.com/t5/cisco-catalyst-center/9800-wlc-netconf-failing-with-dna/td-p/4554567 to resolve your issue.

Im facing the same issue as well, and I already did:

add aaa login default local:
aaa authentication login default group ISE-Tacacs+ local
aaa authentication login Tacacs-Auth local group ISE-Tacacs+
aaa authorization exec default group ISE-Tacacs+ local
aaa authorization exec Tacacs-Autho local group ISE-Tacacs+

My vtys line:

line vty 0 4
authorization exec Tacacs-Autho
accounting exec Tacacs-Autho-VTY
logging synchronous
login authentication Tacacs-Auth
length 0
transport input ssh
line vty 5 15
authorization exec Tacacs-Autho
accounting exec Tacacs-Autho-VTY
logging synchronous
login authentication Tacacs-Auth
transport input ssh

in wlc logs:

%DMI-5-AUTHENTICATION_FAILED: Chassis 1 R0/0: dmiauthd: Authentication failure from X.X.X.X:32568 for netconf over ssh.

Netconf still not working

In order for this to work, you need 

authorization exec default

on your vty lines.

Hope this helps. 

Regards, LG
*** Please Rate All Helpful Responses ***
Review Cisco Networking for a $25 gift card