cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
118
Views
0
Helpful
6
Replies
Highlighted
Beginner

Restricting Access to IPC Port -> err creating maapi connection

Following the NSO 4.7.2.1 admin guide, we were able to restrict access to launch NSO via ncs_cli by adding "true" to /ncs-config/ncs-ipc-accesscheck/enabled and specifying the filepath. However, upon launching ncs_cli (or connecting directly with the built-in SSH server), on any attempt to access our devices we were met with the following error:

 

info Failed to connect to device lab4507: connection refused: Error in newInstance: Error creating maapi connection: cannot read from socket

 

Is there any additional configuration that has to be changed to restrict access to NSO? Ideally we would like to use the configuration above so that anyone with a unix account cannot access NSO.

 

Thanks in advance.

Everyone's tags (1)
6 REPLIES 6
Beginner

Re: Restricting Access to IPC Port -> err creating maapi connection

Hey,

While I don't know how your AAA situation is set up I personally would solve this through unix and not NSO. Meaning that execution of ./bin/ncs_cli could be done by root/XYZ only.

 

Cisco Employee

Re: Restricting Access to IPC Port -> err creating maapi connection

Unfortunately, that means that if they could copy an ncs_cli binary in from some other source they can still run ncs_cli.

As for the original problem, this is what the documentation (admin guide) has to say:
“To provide the secret to the client libraries, and inform them that they need to use the access check handshake, we have to set the environment variable NCS_IPC_ACCESS_FILE to the full pathname of the file containing the secret. This is sufficient for all the clients mentioned above, i.e. there is no need to change application code to support or enable this check.”
Beginner

Re: Restricting Access to IPC Port -> err creating maapi connection

Agreed, we wouldn't want to use the alternative by restricting access to ncs_cli.
As for that blurb from the admin guide, I just want to confirm I'm not missing anything here; is that simply stating we should launch NSO using:
env NCS_IPC_ACCESS_FILE="full path here"/ipc_access ncs_cli
That's what we are using to launch nso, and it does launch successfully, we are just unable to connect to devices within NSO afterwards. example:
nso_test@ncs% request devices device lab4507b sync-from
result false
info Failed to connect to device lab4507b: connection refused: Error in newInstance: Error creating maapi connection: cannot read from socket
[ok][2019-08-30 11:58:55]

[edit]
nso_test@ncs% *** ALARM connection-failure: Failed to connect to device lab4507b: connection refused: Error in newInstance: Error creating maapi connection: cannot read from socket
The issue isn't present when we change the IPC access enable variable to false.
Cisco Employee

Re: Restricting Access to IPC Port -> err creating maapi connection

I am sorry, I haven’t used this in a while so I am not entirely sure, but you might also have to set the environment variable before launching NSO.
Beginner

Re: Restricting Access to IPC Port -> err creating maapi connection

True, however an argument can be made that in that kind of a scenario unauthorized people pulling that kind of stunts shouldn't happen/be able to do them in the first place.

@adam_michaud
I guess that at this point phoning TAC would be a completely justified move.

Beginner

Re: Restricting Access to IPC Port -> err creating maapi connection

Thanks for the suggestions folks - we'll reach out to TAC for this.
I will update the thread if we find a solution.