https://community.cisco.com/t5/network-access-control/cisco-ise-ssh-ciphers/m-p/3863893#M472671 <P>Hi Hsing,</P> <P>&nbsp;</P> <P>Which ISE version are you using ?</P> <P>I am using 2.4 and not seeing the same output ?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ssh.png" style="width: 734px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/37581i9254450C4A0D1039/image-size/large?v=v2&amp;px=999" role="button" title="ssh.png" alt="ssh.png" /></span></P> Tue, 28 May 2019 14:53:15 GMT umahar 2019-05-28T14:53:15Z https://community.cisco.com/t5/network-access-control/cisco-ise-ssh-ciphers/m-p/3862636#M472666 <P>Hi,</P> <P>&nbsp;</P> <P>An infosec team is in the process of certifying ISE and is seeking clarification on the various parameters used in SSH.</P> <P>&nbsp;</P> <P>Should use only below approved key exchanges.</P> <P>KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256</P> <P>&nbsp;</P> <P>Use Only below approved MACs</P> <P>MACs <A href="mailto:hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" target="_blank" rel="noopener">hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com</A></P> <P>&nbsp;</P> <P>Use only below Host Keys</P> <P>HostKey <A href="mailto:ecdsa-sha2-nistp521-cert-v01@openssh.com" target="_blank" rel="noopener">ecdsa-sha2-nistp521-cert-v01@openssh.com</A></P> <P>HostKey&nbsp; <A href="mailto:ecdsa-sha2-nistp384-cert-v01@openssh.com" target="_blank" rel="noopener">ecdsa-sha2-nistp384-cert-v01@openssh.com</A></P> <P>HostKey <A href="mailto:ecdsa-sha2-nistp256-cert-v01@openssh.com" target="_blank" rel="noopener">ecdsa-sha2-nistp256-cert-v01@openssh.com</A></P> <P>HostKey ecdsa-sha2-nistp521</P> <P>HostKey ecdsa-sha2-nistp384</P> <P>HostKey ecdsa-sha2-nistp256</P> <P>HostKey <A href="mailto:ssh-ed25519-cert-v01@openssh.com" target="_blank" rel="noopener">ssh-ed25519-cert-v01@openssh.com</A></P> <P>&nbsp;</P> <P>Is there any documentation which talks about it ?</P> <P>Appreciate if anyone can point me in that direction.</P> <P>&nbsp;</P> <P>If not then should we just look at the Red Hat documentation to verify these parameters as it is the underlying OS.</P> <P>However in the past we have had to seek TAC's help to enable strong ciphers via root patch.</P> <P>&nbsp;</P> Fri, 24 May 2019 20:26:04 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ssh-ciphers/m-p/3862636#M472666 umahar 2019-05-24T20:26:04Z https://community.cisco.com/t5/network-access-control/cisco-ise-ssh-ciphers/m-p/3862775#M472669 We have this but I think we need to dig deeper<BR /><BR /><A href="https://community.cisco.com/t5/security-documents/ise-security-best-practices-hardening/ta-p/3640651" target="_blank">https://community.cisco.com/t5/security-documents/ise-security-best-practices-hardening/ta-p/3640651</A><BR /> Sat, 25 May 2019 11:49:20 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ssh-ciphers/m-p/3862775#M472669 Jason Kunst 2019-05-25T11:49:20Z https://community.cisco.com/t5/network-access-control/cisco-ise-ssh-ciphers/m-p/3862852#M472670 <P>Recent ISE Releases have some options for SSH. See the configuration mode command <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/cli_guide/b_ise_CLIReferenceGuide_26/b_ise_CLIReferenceGuide_26_chapter_011.html#wp1664237597" target="_blank">service</A></P> <PRE>ise-1/admin(config)# service sshd ? enable Enable sshd service encryption-algorithm Configure SSH encryption algorithms. supported algorithms are a encryption-mode Configure SSH encryption mode on system. Supported modes are cb key-exchange-algorithm Specify allowable key exchange algorithms for sshd service loglevel Log level of messages from sshd to secure system log </PRE> <P>If you need additional options, please remember to ask TAC to file new bugs if no existing ones fit the bills.</P> Sat, 25 May 2019 19:29:46 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ssh-ciphers/m-p/3862852#M472670 hslai 2019-05-25T19:29:46Z https://community.cisco.com/t5/network-access-control/cisco-ise-ssh-ciphers/m-p/3863893#M472671 <P>Hi Hsing,</P> <P>&nbsp;</P> <P>Which ISE version are you using ?</P> <P>I am using 2.4 and not seeing the same output ?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ssh.png" style="width: 734px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/37581i9254450C4A0D1039/image-size/large?v=v2&amp;px=999" role="button" title="ssh.png" alt="ssh.png" /></span></P> Tue, 28 May 2019 14:53:15 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ssh-ciphers/m-p/3863893#M472671 umahar 2019-05-28T14:53:15Z https://community.cisco.com/t5/network-access-control/cisco-ise-ssh-ciphers/m-p/3864692#M472677 I am running patch 8 on 2.4 and see the same as hsing Wed, 29 May 2019 19:21:45 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ssh-ciphers/m-p/3864692#M472677 Jason Kunst 2019-05-29T19:21:45Z