Latest

Cisco DNA Center: Use of TACACS for Netconf

Cisco DNA Center: Use of TACACS for Netconf

In order to enable TACACS and Netconf, we must enable port 830 on the DNA center for Netconf, and these ports should be validated with TACACS credentials. 

Let is take an example where we are enabling the Netconf for the Cisco Catalyst 9800 WLC and there are following things we need to take care of

1. Configure the WLC with "netconf-yang"
2. On DNA center, Edit the device and put port 830 for the Netconf.
3. Change the local credentials with the Global TACACS credentials and validate again.

Lets go with the item no 1 here

Step 1. Verify that Netconf is enabled on C9800:
NDNA_WLC# show run | inc netconf
netconf-yang

Step 2 (Optional) :If not present, follow "NETCONF configuration on the Cat 9800 WLC"
NDNA_WLC(config)#netconf-yang

Now netconf yang model is enable on the WLC. Now go with the item no 2:

Step 1: Check for the inventory
Go to DNA center --> Provision --> Inventory and search for the specific WLC for which you want to enable Netconf.

Fig 1.1- DNA C Dashboard

Step 2: Edit device parameters
Go to Action --> Inventory --> Edit device and you will see the credentials page, where you can drag below and you will see there is a Netconf option, put 830 on the Netconf column and validate the credentials ( you will see by dragging your mouse up on the top of the same page)

Fig 1.2- DNA C Dashboard

Fig 1.3- DNA C Dashboard


Lets go with the item no 3 here

Step1: TACACS AAA configs on WLC
Now the purpose is to use the TACACS for Netconf, so we need to configure some commands on the WLC itself under aaa commands.

NDNA_WLC# aaa authorization exec default <tacacs group>
NDNA_WLC# aaa authentication login default <tacacs group>

 Netconf on C9800 uses the default method for both AAA authentication login as well as AAA authorization exec.

Step 2: Change " edit device specific credentials" to " Select Global credentials"
Now as you know you see the edit device parameters and sometimes the credentials are local, so do the same step no 2 and edit device to go to the credential page. Here now change your " edit device specific credentials" to " Select Global credentials" and add your TACACS credentials for this use and again validate the same as you did in the item no 2.

You will see the green check box in front of Netconf which means the credentials are correct.