SSH transport for NETCONF is supported on TCP port 830 (default) or port 22 with IPv4 or IPv6 in-band in the ‟Base” routing instance or in a VPRN, or out-of-band in the ‟Management” routing instance on the CPM Ethernet ports.
NETCONF SSH sessions (the same as CLI, SCP, and sFTP sessions) are subject to any configurable and non-configurable session limits; for example, inbound-max-sessions.
Both the SSH server and NETCONF protocol must be enabled in the router configuration to use NETCONF.
NETCONF sessions do not time out automatically and are not subject to the CLI session timeout. Operators can disconnect sessions manually using the admin disconnect command.
A client establishing a NETCONF session must log in to the router so user accounts must exist for NETCONF on SR OS. An access type netconf is provided. For access to the Nokia SR OS YANG data models, only netconf access is necessary.
Authentication using the local user database is supported for NETCONF users. The access netconf statement must be configured in the local user record. Also, NETCONF runs over SSH, and SSH supports RADIUS/TACACS+ user authentication.
For RADIUS, access netconf must be enabled in the user template (configure system security user-template radius_default in the classic CLI, or configure system security aaa user-template radius-default in the MD-CLI), and use-default-template must be enabled (configure system security radius use-default-template in the classic CLI, or configure system security aaa remote-servers radius use-default-template in the MD-CLI). The RADIUS server must also send the Timetra-Access VSA with a value that includes "netconf" access, for example, "Timetra-Access = netconf" or "Timetra-Access = 15".
For TACACS+, access tacplus must be enabled in the user template (configure system security user-template tacplus_default in the classic CLI, or configure system security aaa user-template tacplus-default in the MD-CLI), and use-default-template must be enabled (configure system security tacplus use-default-template in the classic CLI, or configure system security aaa remote-servers tacplus use-default-template in the MD-CLI).
Authorization is supported for configuration and state elements in NETCONF. The local, RADIUS, or TACACS+ authorization CLI rules are translated and applied to NETCONF requests to modify or display configuration or state data.