Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1209
Views
0
Helpful
6
Replies

Restricting Access to IPC Port -> err creating maapi connection

adam_michaud
Level 1
Level 1

‎09-04-2019 01:12 PM

Following the NSO 4.7.2.1 admin guide, we were able to restrict access to launch NSO via ncs_cli by adding "true" to /ncs-config/ncs-ipc-accesscheck/enabled and specifying the filepath. However, upon launching ncs_cli (or connecting directly with the built-in SSH server), on any attempt to access our devices we were met with the following error:

 

info Failed to connect to device lab4507: connection refused: Error in newInstance: Error creating maapi connection: cannot read from socket

 

Is there any additional configuration that has to be changed to restrict access to NSO? Ideally we would like to use the configuration above so that anyone with a unix account cannot access NSO.

 

Thanks in advance.

1 person had this problem
Labels:
0 Helpful
6 Replies 6

uavsec001
Level 1
Level 1

‎09-05-2019 12:58 AM

Hey,

While I don't know how your AAA situation is set up I personally would solve this through unix and not NSO. Meaning that execution of ./bin/ncs_cli could be done by root/XYZ only.

 

0 Helpful

vleijon
Cisco Employee
Cisco Employee
In response to uavsec001

‎09-05-2019 06:56 AM

Unfortunately, that means that if they could copy an ncs_cli binary in from some other source they can still run ncs_cli.

As for the original problem, this is what the documentation (admin guide) has to say:
“To provide the secret to the client libraries, and inform them that they need to use the access check handshake, we have to set the environment variable NCS_IPC_ACCESS_FILE to the full pathname of the file containing the secret. This is sufficient for all the clients mentioned above, i.e. there is no need to change application code to support or enable this check.”
0 Helpful

adam_michaud
Level 1
Level 1
In response to vleijon

‎09-05-2019 07:59 AM

Agreed, we wouldn't want to use the alternative by restricting access to ncs_cli.
As for that blurb from the admin guide, I just want to confirm I'm not missing anything here; is that simply stating we should launch NSO using:
env NCS_IPC_ACCESS_FILE="full path here"/ipc_access ncs_cli
That's what we are using to launch nso, and it does launch successfully, we are just unable to connect to devices within NSO afterwards. example:
nso_test@ncs% request devices device lab4507b sync-from
result false
info Failed to connect to device lab4507b: connection refused: Error in newInstance: Error creating maapi connection: cannot read from socket
[ok][2019-08-30 11:58:55]

[edit]
nso_test@ncs% *** ALARM connection-failure: Failed to connect to device lab4507b: connection refused: Error in newInstance: Error creating maapi connection: cannot read from socket
The issue isn't present when we change the IPC access enable variable to false.
0 Helpful

vleijon
Cisco Employee
Cisco Employee
In response to adam_michaud

‎09-05-2019 08:32 AM

I am sorry, I haven’t used this in a while so I am not entirely sure, but you might also have to set the environment variable before launching NSO.
0 Helpful

uavsec001
Level 1
Level 1
In response to vleijon

‎09-06-2019 12:52 AM - edited ‎09-06-2019 12:53 AM

True, however an argument can be made that in that kind of a scenario unauthorized people pulling that kind of stunts shouldn't happen/be able to do them in the first place.

@adam_michaud
I guess that at this point phoning TAC would be a completely justified move.

0 Helpful

adam_michaud
Level 1
Level 1
In response to uavsec001

‎09-06-2019 05:51 AM

Thanks for the suggestions folks - we'll reach out to TAC for this.
I will update the thread if we find a solution.
0 Helpful
Customers Also Viewed These Support Documents