topic Re: Supported Ciphers for ISE repository in Network Access Control

Supported Ciphers for ISE repository

rob.alvarado@live.com — Tue, 06 Mar 2018 19:39:31 GMT

Hello Guys and Gals,

I have a question in regards to supported ISE Ciphers...

To make a long story short we are unable to save to our repository since we migrated over to our new Toolbox Server. The TAC engineer stated that ciphers were at fault here so we are asking if ISE supports the following ciphers:

srmcucsisepanad01/admin# ssh 10.32.3.11 NetOpsFTP Unable to negotiate with 10.32.3.11 port 22: no matching cipher found. Their offer: aes128-ctr,aes192-ctr,aes256-ctr

Is there a way we can add these ciphers to ISE? If not can we have a list of ciphers that are supported so we can adjust on our end.

Thanks,

-Robert

Re: Supported Ciphers for ISE repository

hslai — Tue, 06 Mar 2018 20:39:43 GMT

I believe you are hitting this known issue -- CSCum13116

Please work with Cisco TAC and see if it helps by adding the ciphers in ISE temporarily.

Re: Supported Ciphers for ISE repository

Arne Bier — Thu, 20 Dec 2018 04:00:57 GMT

Hi @hslai and rob.alvarado@live.com

My customer ran into this same issue. Their SFTP server is a Microsoft box running OpenSSH. I was able to reproduce this in the lab using the Windows 10 SFTP implementation (which now come free with Windows 10)

Incidentally, I have never seen this issue with Linux based SSHD implementations (because I assume they leave a lot of the legacy ciphers enabled).

I tested this in my lab and the only change I made to my Windows OpenSSH sshd_config file was to add the line below – it leaves the other ciphers in place and only ADDs one more (for ISE)

ciphers +aes256-cbc

I did enable the debugging command too

LogLevel DEBUG

Because this was a fresh install, I didn’t change any other lines of the config file.

By the way, I found two config files in two different locations! Don’t be fooled – the one that the Windows Service uses (in my case) was here

C:\ProgramData\ssh\sshd_config

And you should be able to view the log (very useful when combined with the DEBUG level enabled)

C:\ProgramData\ssh\logs\sshd.log

When is this going to be fixed in ISE??

Re: Supported Ciphers for ISE repository

Surendra — Thu, 20 Dec 2018 13:42:31 GMT

aes-256-cbc, aes-128-cbc are for sure supported. Rest other ciphers change from version to version. To answer your question whether or not you can specify what cipher to use on the ISE, you cannot. @hslai has already provided the bug id filed for this issue.

Re: Supported Ciphers for ISE repository

ElishaHuang48437 — Wed, 01 Sep 2021 03:45:21 GMT

Hi all,

Just wanted to share how I resolved the issue with the help from Cisco TAC.

First of all, SFTP works like SSH using port 22. If SFTP does not work, ssh will not work either.

Accidentally I found my secondary node had no issue with ssh. That prompt me to what the difference of ssh settings between between these two nodes, I found the only difference is the following line is missing on the ssh_config on the primary node.

# Ciphers aes127-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

After adding the above line, saving the file, restarting the sshd service, ssh started to work, and SFTP also works from then.

To change the ssh_config file, you will need Cisco TAC's help to install two special patches to allow you to get into root access.

If you have already enabled root access, then do the the following steps:

1. Cisco-ISE-ABC#root

type the password you set up when enabling root access,

2. ade#cd /etc/ssh

vi ssh_config

3. add the line below to the file right under line 41 without #. I guess this can be anywhere around that area as they are all commented.

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

4. Save the change and restart the sshd service with the command below:

systemctl restart sshd

Test your ssh access and sftp, you will be happy again.