cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1663
Views
0
Helpful
3
Replies

System install as non-root user, unable to authenticate WebUI after a couple of hours

jonathan.kyle
Level 1
Level 1

Using NSO 4.6.1, I performed a system-install to run as a non-root user.  Initially the login to WebUI works fine.  But after a couple of hours my user fails to authenticate.  Restarting NSO does not fix it.  Rebooting the server does not fix it.  But reinstalling NSO does fix it but only temporarily, then back to being unable to authenticate via WebUI.  During this time, CLI always works.

I don't have this problem when NSO is running as root. 

There is nothing else special about the server.  It's a CentOS 7.4 VM running in Azure.

Thanks

3 Replies 3

rogaglia
Cisco Employee
Cisco Employee

Hi Jonathan,

when you say "CLI always works", is that via ssh into NSO or via IPC port using the "ncs_cli" command? I would guess it is the latest and sshing directly towards NSO would also fail. The IPC connection is not authenticated and thus different from GUI/SSH.

What could be the issue?

     - authentication, particularly I would check if you are using PAM authentication and there is an issue there. Check your audit.log/devel.log files.

     - NACM, in system install, you have a "deny all" by default in NACM.

Roque

Hi Roque,

The CLI using ncs_cli always works. However, it appears that in fact ssh to NSO port 2024 does not succeed; Permission denied.

Everything about the NSO configuration is default (except that WebUI / SSL port 8888 and SSH port 2024 are enabled).

When The audit log says:

“ncs[909]: audit user: /0 login failed via cli from 127.0.0.1:48852 with ssh: Authentication failure” – this is from ssh myuser@127.0.0.1<mailto:myuser@127.0.0.1> –p 2024

“ncs[909]: audit user: /0 login failed via webui from 12.35.79.25:64610 with https: Authentication failure” – is from using WebUI

Same error message when using the public IP (not loopback IP) for the server.

There are no error messages in devel.log.

Could you elaborate on what you mean by “NACM, in system install, you have a ‘deny all’ by default in NACM”? I don’t know what NACM is.

Thanks for your help

-Jonathan

Hi Johathan,

A couple of points:

1- ncs_cli is like a "console cable" to NSO. It is a direct access to the IPC port and it is not authenticated, that is why it is working. If you look at the deployment guide in the documentation, there is a clear suggestion to secure the access to this command to non-admin users.

2- You have an authentication problem. You need to check what kind of authentication method you are using (local, PAM, external) and troubleshoot accordingly.

3- NACM refers to the RFC 6536 and that is how NSO implements role-based-access-control. Please check Chapter 9 in the administrator guide.

Roque