Guest

Preview Tool

Cisco Bug: CSCvv23573 - Clarification of technote required

Last Modified

Sep 23, 2020

Products (1)

  • Cisco Catalyst 9800 Series Wireless Controllers

Known Affected Releases

1.0(0)

Description (partial)

Symptom:
The "Managing Catalyst 9800 Wireless Controller Series with Prime Infrastructure using SNMP v2 and SNMP v3 and NetCONF" requires a bit of clarification.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214286-managing-catalyst-9800-wireless-controll.html#anc6

1. Clarify the port usage
Old text:
AP and client operational data leverages streaming telemetry.
TCP port 830 - This is used by Prime Infra to  push the telemetry configuration to 9800 devices (using netconf)
TCP port 20828 (for IOS-XE 16.10 and 16.11) or 20830 (for IOS-XE 16.12 and later) -

Suggested text:
AP and client operational data leverages streaming telemetry.
Prime Infrastructure to WLC: TCP port 830 - This is used by Prime Infra to  push the telemetry configuration to 9800 devices (using netconf)
WLC to Prime Infrastructure: TCP port 20828 (for IOS-XE 16.10 and 16.11) or 20830 (for IOS-XE 16.12 and later) -

Would be great to add a picture showing the flows, something like:

IOS-XE 16.10 and 16.11
---------  ----TCP 830 -----> --------- 
|Prime|                             |WLC  |
--------- <----TCP 20828 --  --------- 

IOS-XE 16.12+
---------  ----TCP 830 -----> --------- 
|Prime|                             |WLC  |
--------- <----TCP 20830 --  ---------

2. Clarify the aaa configuration required for Netconf
Old text:
Caution: If aaa new-model is enabled on C9800, then you will also need to configure
(config)#aaa authorization exec default local
(config)#aaa authentication login default local
Netconf on C9800 uses the default method (and you cannot change this) for both aaa authentication login as well as aaa authorization exec. In case you want to define a different method for SSH connections, you can do so under the "line vty" command line. Netconf will keep using the default methods.

New text:
Caution: If aaa new-model is enabled on C9800, then you will also need to configure
(config)#aaa authorization exec default local
(config)#aaa authentication login default local

Remember to configure the local user to be used by Prime Infrastructure on the WLC.
E.g. username prime-user privilege 15 secret Cisco123

Netconf on C9800 uses the default method (and you cannot change this) for both aaa authentication login as well as aaa authorization exec. In case you want to define a different method for SSH connections, you can do so under the "line vty" command line. Netconf will keep using the default methods.

For more information about configuring AAA for SSH connections, see "Configure RADIUS and TACACS+ for GUI and CLI Authentication on 9800 Wireless LAN Controllers"
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

Conditions:
documentation bug
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.