XCONF-AAA
NETCONF and RESTCONF provide a means to programmatically interact with a device – in a model-based, machine-consumable, easy to understand and standards-based way. At a minimum, local users with privilege level 15 access need to be configured on a system to allow those users unfettered access into the system.
Authentication/Feature Commands
As of IOS-XE 16.3, NETCONF and RESTCONF connections should be authenticated using AAA. Thus, RADIUS or TACACS+ users defined with privilege level 15 access are allowed. While AAA impacts other systems, such as administrator access to the CLI, here is a working example from an ISR-4451 using RADIUS:
aaa new-model ! ! aaa group server radius ISE server-private 172.25.73.76 key Cisco123 ip vrf forwarding Mgmt-intf ! aaa authentication login default group ISE local aaa authentication login NOAUTH none aaa authorization exec default group ISE local ! aaa session-id common ! line con 0 login authentication NOAUTH
This configuration is simple to serve as an example for integration purposes. It may closely match your production configurations. In this example, a single ISE server is being used for RADIUS (172.25.73.75) with priortiy over any local user (if configured). This configuration is also setup to not perform any authentication on the device's console port. Otherwise, all VTY sessions will be authenticated against the configured ISE server, including those from NETCONF/RESTCONF.
NETCONF/RESTCONF may be used to ultimately change the operating characteristics of a device. Thus, do not forget about the aaa authorization exec command per the example above.
AAA Server
Cisco's Identity Services Engine (ISE) controls devices using TACACS+ or RADIUS. ISE gathers context for user/device classification from specific attributes and authorizes user/device requests with privileges. ISE 2.0 supports TACACS+, which is best suited for device administration and management. Here is a screenshot of policy sets for Device administration with TACACS+.
You can also use RADIUS to send back a RADIUS VSA with “shell:priv-lvl=15”. Further ISE configurations and AAA best-practices are out of this document's scope. For more information about Device administration using ISE please visit http://cs.co/ise-community
Is it really that easy?
Yes, make sure ISE is servicing your network elements for NETCONF/RESTCONF much like it may already be for Device-Admin access. No need to worry with user credentials configured locally on network elements either.