Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1555
Views
0
Helpful
3
Replies

System install as non-root user, unable to authenticate WebUI after a couple of hours

jonathan.kyle
Level 1
Level 1

‎05-04-2018 08:13 AM - last edited on ‎03-25-2019 01:19 PM by Community Manager

Using NSO 4.6.1, I performed a system-install to run as a non-root user.  Initially the login to WebUI works fine.  But after a couple of hours my user fails to authenticate.  Restarting NSO does not fix it.  Rebooting the server does not fix it.  But reinstalling NSO does fix it but only temporarily, then back to being unable to authenticate via WebUI.  During this time, CLI always works.

I don't have this problem when NSO is running as root. 

There is nothing else special about the server.  It's a CentOS 7.4 VM running in Azure.

Thanks

0 Helpful
3 Replies 3

rogaglia
Cisco Employee
Cisco Employee

‎05-05-2018 11:53 AM

Hi Jonathan,

when you say "CLI always works", is that via ssh into NSO or via IPC port using the "ncs_cli" command? I would guess it is the latest and sshing directly towards NSO would also fail. The IPC connection is not authenticated and thus different from GUI/SSH.

What could be the issue?

     - authentication, particularly I would check if you are using PAM authentication and there is an issue there. Check your audit.log/devel.log files.

     - NACM, in system install, you have a "deny all" by default in NACM.

Roque

0 Helpful

jonathan.kyle
Level 1
Level 1
In response to rogaglia

‎05-08-2018 05:51 PM

Hi Roque,

The CLI using ncs_cli always works. However, it appears that in fact ssh to NSO port 2024 does not succeed; Permission denied.

Everything about the NSO configuration is default (except that WebUI / SSL port 8888 and SSH port 2024 are enabled).

When The audit log says:

“ncs[909]: audit user: /0 login failed via cli from 127.0.0.1:48852 with ssh: Authentication failure” – this is from ssh myuser@127.0.0.1<mailto:myuser@127.0.0.1> –p 2024

“ncs[909]: audit user: /0 login failed via webui from 12.35.79.25:64610 with https: Authentication failure” – is from using WebUI

Same error message when using the public IP (not loopback IP) for the server.

There are no error messages in devel.log.

Could you elaborate on what you mean by “NACM, in system install, you have a ‘deny all’ by default in NACM”? I don’t know what NACM is.

Thanks for your help

-Jonathan

0 Helpful

rogaglia
Cisco Employee
Cisco Employee
In response to jonathan.kyle

‎05-09-2018 05:25 AM

Hi Johathan,

A couple of points:

1- ncs_cli is like a "console cable" to NSO. It is a direct access to the IPC port and it is not authenticated, that is why it is working. If you look at the deployment guide in the documentation, there is a clear suggestion to secure the access to this command to non-admin users.

2- You have an authentication problem. You need to check what kind of authentication method you are using (local, PAM, external) and troubleshoot accordingly.

3- NACM refers to the RFC 6536 and that is how NSO implements role-based-access-control. Please check Chapter 9 in the administrator guide.

Roque

0 Helpful
Customers Also Viewed These Support Documents