topic Re: SFTP transfer from Linux to ISE repository in Network Access Control

SFTP transfer from Linux to ISE repository

wsteinbr@msm.umr.edu — Tue, 12 Jun 2018 20:35:56 GMT

I have set up an sftp server on a RHEL 6 machine. The usual command at the ISE CLI of:

copy sftp://<sftp server address>/<upgrade file to 2.4> disk:/disk2:/

does not work and replies with the error message of:

[error] sftp_read Error: read failed

[debug] sftp parent status -306

[error] SFTP get error: No such file or directory (The file name was copy and pasted directly to the command line)

The disk:/ repository has these characteristics:

Protocol: disk, Host: none, Path /

The disk2:/ repository has these characteristics:

Protocol: sftp, Host: <sftp server address>, Path /

I am thinking that I have not done some preliminary steps that I find here:

"Create Repositories

...

Before you begin

To perform the following task, you must be a Super Admin or System Admin.
If you want to create an SFTP repository with RSA public key authentication, ensure that you:
- Enable RSA public key authentication in the SFTP repository. See Enable RSA Public Key Authentication in SFTP Repository for information.
- Enter the host key of the SFTP server from the Cisco ISE CLI using the crypto host_key add command. The host key string should match the hostname that you enter in the Path field of the repository configuration page.
- Generate the key pairs and export the public key to your local system from the GUI. From the Cisco ISE CLI, generate the key pairs using the crypto key generate rsa passphrase test123 command, where, passphrase must be greater than four letters, and export the keys to any repository (local disk or any other configured repository).
- Copy the exported RSA public key to the PKI-enabled SFTP server and add it to the "authorized_keys" file."

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010…

I have completed the "Enable RSA public key authentication in the SFTP repository.", but the rest assumes that I have done this a lot. Can anyone provide an interpretation of this? A step by step procedure saying which command line is operated on (RHEL 6 vs ISE) each time would be most helpful. Cisco documentation leaves a lot to be desired here.

Example: "Enter the host key of the SFTP server from the Cisco ISE CLI using the crypto host_key add command" - Enter the output of this command ... (where? enter it where?) I would prefer to just use username and password vice the full blown certificate public private method. I just want to get the file into a repository and then remove sftp from the RHEL machine.

Re: SFTP transfer from Linux to ISE repository

Arne Bier — Tue, 12 Jun 2018 22:09:28 GMT

Sounds quite involved. In simple terms, if you spin up an SFTP server (whether Linux or Windows based) and you can access it normally via say WinSCP or FileZilla (for the Windows folks 😉 then you're in good shape.

In ISE the process is relatively simple. If you want to interface with your SFTP server then you can configure one ISE node via the CLI, but then that config only lives on that node, and not replicated to the rest of the deployment. If, on the other hand, you create the repo in the PAN GUI, then all nodes will have the repo. BUT - you still need to issue the 'crypto' command on any of the nodes in order to finish off the process (the repo config on its own is not sufficient for sftp!)

sco8834ise400/admin# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

sco8834ise400/admin(config)# repository mysftp

sco8834ise400/admin(config-Repository)# url sftp://10.230.4.2/ConfigBackups
% Warning: Repositories configured from CLI cannot be used from the ISE web UI and are not replicated to other ISE nodes. If this repository is not created in the ISE web UI, it will be deleted when ISE services restart.

sco8834ise400/admin(config-Repository)# user ise password plain mypassword
sco8834ise400/admin(config-Repository)# end
% Warning: Host key of the server must be added using 'crypto host_key add' exec command before sftp repository can be used.

sco8834ise400/admin# crypto host_key add host 10.230.4.2
host key fingerprint added
# Host 10.230.4.2 found: line 1
10.230.4.2 RSA SHA256:iFaGR0xy3agWhimf0Lm7srByl6qG6wUz1gAza9iq6FU

Test the repo with the show command

sco8834ise400/admin# show repository mysftp

Re: SFTP transfer from Linux to ISE repository

wsteinbr@msm.umr.edu — Wed, 13 Jun 2018 17:31:11 GMT

@Arne Bier - That got me much closer than before. Here are the results:

admin# show repository mysftp

% SSH connect error

admin# ssh <host address> <user name>

Failed to establish session with <host address>

no matching cypher found with <host address>: client aes256-cbc,aes128-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com server ,aes128-ctr,aes192-ctr,aes256-ctr

Re: SFTP transfer from Linux to ISE repository

Arne Bier — Wed, 13 Jun 2018 22:21:02 GMT

If you have access to the remote system then have a look at the cipher negotiation. E.g on a typical Linux distro the /etc/ssh/sshd.conf contains something like this

# Ciphers and keying

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

You can also inspect the sshd log file ( tail -f /var/log/messages ). Below is the extract from the remote Linux host when I perform the ssh command from the ISE node. I don't login - it's just waiting for credentials

2018-06-14T08:16:34.873513+10:00 host123 audispd: node=host123.my.domain type=CRYPTO_SESSION msg=audit(1528928194.857:194012): pid=15624 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes256-cbc ksize=256 mac=hmac-sha2-512 pfs=curve25519-sha256 spid=15625 suid=74 rport=30999 laddr=10.230.4.2 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.230.4.3 terminal=? res=success'

Re: SFTP transfer from Linux to ISE repository

hslai — Thu, 14 Jun 2018 00:48:28 GMT

Also take a look at CSCum13116

Re: SFTP transfer from Linux to ISE repository

RandomAnonymousName — Thu, 28 Jun 2018 15:34:10 GMT

Yes, CSCum13116 is the real answer.

Re: SFTP transfer from Linux to ISE repository

Bel Marsad — Wed, 14 Oct 2020 15:27:56 GMT

Hi,

Thanks for this detailed explanations and clarifications regarding this topic, i was searching this kind of process in order to create a repository to run backup (ise-config and ise-operational).

Now my repository was created successfully, but when I try to run the backup command from the cli it ask me for the encryption key :

"backup ise-oper repository mysftp ise-operational encryption-key "hash or plain"

But I have no idea where can I find this key in plain or hashe ??

Thanks

Belmar

Re: SFTP transfer from Linux to ISE repository

Aref Alsouqi — Wed, 14 Oct 2020 15:53:33 GMT

That would be the password you want to use for the backup.

Re: SFTP transfer from Linux to ISE repository

Bel Marsad — Thu, 15 Oct 2020 05:55:41 GMT

Thanks for your answer and clarification..

Re: SFTP transfer from Linux to ISE repository

nconroy — Sat, 24 Apr 2021 03:05:02 GMT

For this topic: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217054-configure-ise-sftp-with-certificate-base.html

Here is an updated guide for anyone following: