Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


NSO 4.1 CLI giving "syntax error: expecting" for all commands

Good day to all,

We have installed NSO 4.1.  We are able to login to the WebUI but not able to use the CLI.

Pls help to enlighten on the error.  Thanks.

Error faced


[root@NSO41 packages]# ncs_cli -u admin -C

admin connected from using ssh on NSO41

admin@ncs# ?

Possible completions:

  exit   Exit the management session

admin@ncs# show


syntax error: expecting

  exit - Exit the management session

admin@ncs# config


syntax error: expecting

  exit - Exit the management session




ncs --status

vsn: 4.1

SMP support: yes, using 2 threads

Using epoll: yes

available modules: backplane,netconf,cdb,cli,snmp,webui

running modules: backplane,netconf,cdb,cli,webui

status: started

Everyone's tags (3)

Re: NSO 4.1 CLI giving "syntax error: expecting" for all commands

I believe the security defaults for 4.1 have changed.

PAM is the recommended authentication method on this release, so, if you chose to use PAM, the use must be present in the Linux authentication mechanism (the default for most linux distros is to use /etc/passwd and /etc/shadow).

Please, check the deployment documentation, in the setting AAA section.

Excerpt below:

Setting up AAA

As we saw in the previous section, the REST HTTPS api is enabled. This API is used by a few of the crucial nct commands, thus if we want to use nct, we must enables password based REST login (through PAM)

The default AAA initialization file that gets shipped with NSO resides under /var/opt/ncs/cdb/aaa_init.xml. If we're not happy with that, this is a good point in time to modify the initialization data for AAA.

The NSO daemon is still not running, and we have no existing CDB files. The defaults are restrictive and fine

though, so we'll keep them here though.

Looking at the aaa_init.xml file we see that Two groups are referred to in the NACM rule list, ncsadmin and ncsoper.

The NSO authorization system is group based, thus for the rules to apply for a specific user, the user must

be member of the right group. Authentication is performed by PAM, and authorization is performed by the NSO

NACM rules. Adding myself to ncsadmin group will ensure that I get properly authorized.

$ nct ssh-cmd -c 'sudo addgroup ncsadmin'

$ nct ssh-cmd -c 'sudo adduser klacke ncsadmin'

Henceforth I will log into the different NSO hosts using my own login credentials. There are many advantages to

this scheme, the main one being that all audit logs on the NSO hosts will show who did what and when. The common

scheme of having a shared admin user with a shared password is not recommended.

To test the NSO logins, we must first start NSO.

$ nct ssh-cmd -c 'sudo /etc/init.d/ncs start'

At this point we should be able to curl login over REST, and also directly log in remotely to the NSO cli. On the admin


$ ssh -p 2024 srv-ncs-m

klacke connected from using ssh on srv-ncs-m

klacke@srv-ncs-m> exit

Connection to srv-ncs-m closed.

Checking the NSO audit log on the NSO host srv-ncs-m we see:

$ tail -4 /var/log/ncs/audit.log

tail -4 /var/log/ncs/audit.log

Content for Community-Ad
FusionCharts will render here