Solved: NSO 6.3 conatiner WebUI Login Authentication Failure

Oswald Fernandes · ‎05-18-2024

Looking for a fix the issue Im facing with NSO 6.3 container image while launching its WebUI. I am using the latest NSO 6.3 container image:

nso-6.3.container-image-prod.linux.x86_64.tar.gz

and Im able to successfully build and run the docker container

docker run -itd --name nso63 -e ADMIN_USERNAME=admin -e ADMIN_PASSWORD=admin -p 8080:8080 9b1

However when I launch the WebUI and type the username as "admin" password as "admin" it gives me a Authentication failed message. Has anyone else encountered this issue with NSO 6.3 and know how to fix it... Appreciate a helpful response.

Oswald Fernandes · ‎05-19-2024

I was able to solve the WebUI Authentication issue on NSO 6.3 container so sharing it here that will help other users:

You need to enable local-authentication in the /etc/ncs/ncs.conf file

Hope this helps.

View solution in original post

bigevilbeard · ‎05-19-2024

Not 100% sure this will work, enable the admin user by setting the ENABLE_ADMIN_USERenvironment variable to true when running the container

docker run -itd --name nso63 -e ADMIN_USERNAME=admin -e ADMIN_PASSWORD=admin -e ENABLE_ADMIN_USER=true -p 8080:8080 9b1

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

Oswald Fernandes · ‎05-19-2024

Appreciate the suggestion... I tired spinning a new container with the -e ENABLE_ADMIN_USER=true and it did not solve the issue. I looked at the audit.log and its giving me this error:

<INFO> 19-May-2024::18:06:31.258 e2321aab7910 ncs[43]: audit user: [withheld]/0 PAM authentication failed via webui from 10.16.136.225:56845 with http: phase auth, Authentication failure

I am wondering if I need to enable something in the ncs.conf file but not sure.

Oswald Fernandes · ‎05-19-2024

I was able to solve the WebUI Authentication issue on NSO 6.3 container so sharing it here that will help other users:

You need to enable local-authentication in the /etc/ncs/ncs.conf file

Hope this helps.

pimoh · ‎05-20-2024

Thanks @Oswald Fernandes

cohult · ‎05-20-2024

Note that the default authentication option is Linux PAM with local-authentication disabled, so an alternative to using the ADMIN_* options and enabling local-authentication when starting the container is to add, for example, an admin Linux user to the ncsadmin group.

  <aaa>
    ...
    <pam>
      <enabled>true</enabled>
      <service>system-auth</service>
    </pam>
    ...
    <local-authentication>
      <enabled>false</enabled>
    </local-authentication>
    ...
  </aaa>

See the $NCS_RUN_DIR/cdb/aaa_init.xml for the ncsadmin and ncsoper groups NACM rules.
Example:

$ docker exec -it nso63 bash
# groupadd ncsadmin
# useradd --create-home --home-dir /home/admin --no-user-group --no-log-init --groups ncsadmin --shell /bin/bash admin
# passwd admin
Changing password for user admin.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

cohult · ‎05-24-2024

For anyone who browses this post, see the NSO documentation at https://developer.cisco.com/docs/nso/guides/containerized-nso/#administrative-information under Admin User Creation for all the info you need.