Following the NSO 22.214.171.124 admin guide, we were able to restrict access to launch NSO via ncs_cli by adding "true" to /ncs-config/ncs-ipc-accesscheck/enabled and specifying the filepath. However, upon launching ncs_cli (or connecting directly with the built-in SSH server), on any attempt to access our devices we were met with the following error:
info Failed to connect to device lab4507: connection refused: Error in newInstance: Error creating maapi connection: cannot read from socket
Is there any additional configuration that has to be changed to restrict access to NSO? Ideally we would like to use the configuration above so that anyone with a unix account cannot access NSO.
Thanks in advance.
While I don't know how your AAA situation is set up I personally would solve this through unix and not NSO. Meaning that execution of ./bin/ncs_cli could be done by root/XYZ only.
True, however an argument can be made that in that kind of a scenario unauthorized people pulling that kind of stunts shouldn't happen/be able to do them in the first place.
I guess that at this point phoning TAC would be a completely justified move.