https://community.cisco.com/t5/network-access-control/sftp-cyphers/m-p/3545564#M527651 <HTML><HEAD></HEAD><BODY><P>Hi team,</P><P></P><P>We have a Customer that would like to know if we updated the SFTP cyphers since ISE 2.O, they woulf like to use aeS256-ctr and ISE 2.0 does not support it :</P><P></P><P><SPAN style="color: #000000; font-family: Times New Roman; font-size: 12pt;">&nbsp; </SPAN></P><P><SPAN style="font-family: Calibri;"><EM><SPAN style="color: #000000; font-size: 11pt;">Jul 21 09:43:08 lxpr540a sshd[4359]: fatal: no matching cipher found: client aes256-cbc,aes128-cbc,</SPAN><SPAN style="font-size: 11pt;"><A href="mailto:aes128-gcm@openssh.com"><SPAN style="color: #0563c1; text-decoration: underline;">aes128-gcm@openssh.com</SPAN></A></SPAN><SPAN style="color: #000000; font-size: 11pt;">,</SPAN><SPAN style="font-size: 11pt;"><A href="mailto:aes256-gcm@openssh.com"><SPAN style="color: #0563c1; text-decoration: underline;">aes256-gcm@openssh.com</SPAN></A></SPAN><SPAN style="color: #000000; font-size: 11pt;"> server aes128-ctr,aes192-ctr,aes256-ctr</SPAN></EM></SPAN></P><P><SPAN style="color: #000000; font-family: Times New Roman; font-size: 12pt;">&nbsp; </SPAN></P><P></P><P>I found this doc but it was not updated since 2.0 : <A href="https://community.cisco.com/docs/DOC-69521">ISE Security Best Practices (Hardening)</A></P><P></P><P>the security team refuse to use AES-CBC due to a vulnerability "<A href="http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf" title="http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf">http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf</A>"</P><P></P><P>Please could you tell me if we now support AES-CTR for SFTP ?</P><P></P><P>regards</P><P>Christophe</P></BODY></HTML> Mon, 14 Aug 2017 10:12:26 GMT csarrazi 2017-08-14T10:12:26Z https://community.cisco.com/t5/network-access-control/sftp-cyphers/m-p/3545564#M527651 <HTML><HEAD></HEAD><BODY><P>Hi team,</P><P></P><P>We have a Customer that would like to know if we updated the SFTP cyphers since ISE 2.O, they woulf like to use aeS256-ctr and ISE 2.0 does not support it :</P><P></P><P><SPAN style="color: #000000; font-family: Times New Roman; font-size: 12pt;">&nbsp; </SPAN></P><P><SPAN style="font-family: Calibri;"><EM><SPAN style="color: #000000; font-size: 11pt;">Jul 21 09:43:08 lxpr540a sshd[4359]: fatal: no matching cipher found: client aes256-cbc,aes128-cbc,</SPAN><SPAN style="font-size: 11pt;"><A href="mailto:aes128-gcm@openssh.com"><SPAN style="color: #0563c1; text-decoration: underline;">aes128-gcm@openssh.com</SPAN></A></SPAN><SPAN style="color: #000000; font-size: 11pt;">,</SPAN><SPAN style="font-size: 11pt;"><A href="mailto:aes256-gcm@openssh.com"><SPAN style="color: #0563c1; text-decoration: underline;">aes256-gcm@openssh.com</SPAN></A></SPAN><SPAN style="color: #000000; font-size: 11pt;"> server aes128-ctr,aes192-ctr,aes256-ctr</SPAN></EM></SPAN></P><P><SPAN style="color: #000000; font-family: Times New Roman; font-size: 12pt;">&nbsp; </SPAN></P><P></P><P>I found this doc but it was not updated since 2.0 : <A href="https://community.cisco.com/docs/DOC-69521">ISE Security Best Practices (Hardening)</A></P><P></P><P>the security team refuse to use AES-CBC due to a vulnerability "<A href="http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf" title="http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf">http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf</A>"</P><P></P><P>Please could you tell me if we now support AES-CTR for SFTP ?</P><P></P><P>regards</P><P>Christophe</P></BODY></HTML> Mon, 14 Aug 2017 10:12:26 GMT https://community.cisco.com/t5/network-access-control/sftp-cyphers/m-p/3545564#M527651 csarrazi 2017-08-14T10:12:26Z https://community.cisco.com/t5/network-access-control/sftp-cyphers/m-p/3545565#M527653 <HTML><HEAD></HEAD><BODY><P>There is a bug <A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux88538">CSCux88538</A> that was logged as an enhancement for ISE 1.4 to support the aes-ctr ciphers but that is still open. May be worth logging a support call with Cisco.</P></BODY></HTML> Mon, 14 Aug 2017 11:50:23 GMT https://community.cisco.com/t5/network-access-control/sftp-cyphers/m-p/3545565#M527653 M. Wisely 2017-08-14T11:50:23Z https://community.cisco.com/t5/network-access-control/sftp-cyphers/m-p/3545566#M527655 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Based on my research, we currently don't support that cipher.&nbsp; We do have an enhancement request in for it.</P><P></P><P>Regards,</P><P>-Tim</P></BODY></HTML> Mon, 14 Aug 2017 14:27:15 GMT https://community.cisco.com/t5/network-access-control/sftp-cyphers/m-p/3545566#M527655 Timothy Abbott 2017-08-14T14:27:15Z https://community.cisco.com/t5/network-access-control/sftp-cyphers/m-p/3545567#M527657 <HTML><HEAD></HEAD><BODY><P>we had same problem when we tried to setup SFTP. Then we have to change the cipher to cbc till the ISE supports .........</P></BODY></HTML> Mon, 14 Aug 2017 17:30:59 GMT https://community.cisco.com/t5/network-access-control/sftp-cyphers/m-p/3545567#M527657 csco11552159 2017-08-14T17:30:59Z