topic Re: Identity Services Engine (ISE) in Network Access Control

Identity Services Engine (ISE)

RS19 — Fri, 16 Feb 2024 11:03:59 GMT

This is regarding ISE. I am using Manage Engine (NCM) to take the backup of ISE.

In NCM there are many Key EXchanges allowed. When all the Key exchanges are selected at the NCM side the backup of ISE > NCM is successful.
But as per secutiy only specific key exchanges needs to be allowed.

I need to identify which key exchange my ISE is using, so that I can configure the same in the NCM. How to identify it.
Below is the output of show crypto host_keys from ISE, where 10.10.10.10 is the NCM server IP

1024 SHA256:xxxxxxxxxxxxxxxxxdfdfereddredddddd 10.10.10.10 (RSA)

From the above output is it possible to identify which key algorithm is used ?

Re: Identity Services Engine (ISE)

adamscottmaster2013 — Fri, 16 Feb 2024 13:15:26 GMT

@RS19: ISE is running either CentOS-7 or CentOS-8 and the configuration is in the /etc/ssh/ssh_config file (you need root to change this). By default, it will send out the followings:

It is up to your NCM to accept or refuse what can be allowed. For example, I only accept these host algorithms on my Linux server:

debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes256-ctr,aes256-gcm@openssh.com
debug2: ciphers stoc: aes256-ctr,aes256-gcm@openssh.com
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha2-512

Therefore, it is up to you to configure on the NCM on what you can accept. On most Linux systems, that would be in the /etc/ssh/sshd_config

Does that make sense?

Re: Identity Services Engine (ISE)

ahollifield — Fri, 16 Feb 2024 16:39:33 GMT

ISE is not based on CENTOS. It is based on RHEL.

Re: Identity Services Engine (ISE)

ahollifield — Fri, 16 Feb 2024 16:40:35 GMT

What do you mean by "take the backup of ISE". ISE doesn't support any backup utilities other than the built one which copies the backup files to an external repository. Do you mean you are only having NCM do a "show run" of the CLI?

Re: Identity Services Engine (ISE)

adamscottmaster2013 — Sat, 17 Feb 2024 13:43:59 GMT

@ahollifield: It is almost exactly the same. If you look at the /etc/ssh/ssh_config and /etc/ssh/sshd_config file in both CentOS and RHEL, they are both identical.

Re: Identity Services Engine (ISE)

RS19 — Sun, 18 Feb 2024 04:23:12 GMT

Thanks for your explanation. But would like to clarify the below.
The below has been enabled in my ISE

1024 SHA256:xxxxxxxxxxxxxxxxxdfdfereddredddddd 10.10.10.10 (RSA)
10.10.10.10 is my NCM server IP address.
In my NCM have enabled as attached.
Irrespective of that it is not working ?

Re: Identity Services Engine (ISE)

RS19 — Sun, 18 Feb 2024 04:23:47 GMT

In NCM rsa1024-sha1 is enabled.

Re: Identity Services Engine (ISE)

RS19 — Sun, 18 Feb 2024 05:11:19 GMT

In addition, I did SSH to the ISE & I am in /admin#
From this prompt how to check the config file.

Re: Identity Services Engine (ISE)

ahollifield — Sun, 18 Feb 2024 12:44:06 GMT

You don’t. ISE config is GUI and API driven.

Re: Identity Services Engine (ISE)

adamscottmaster2013 — Sun, 18 Feb 2024 16:24:07 GMT

@RS19: What are you trying to accomplish? Are you trying to ssh/sftp from the NCM to the ISE or are you trying to ssh/sftp from the ISE to the NCM? Please elaborate.

If you're are trying to ssh from the NCM to the ISE and you want to lock down the ISE, you can do this on the ISE:

service sshd enable
service sshd encryption-algorithm aes256-ctr
service sshd encryption-mode ctr
service sshd key-exchange-algorithm ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521
service sshd loglevel 4

Even then, it is not completed. If you want to lock it down further, open a ticket with TAC and they will root into the ISE and lock it down from "/etc/ssh/sshd_config".

If you ssh from the ISE to the NCM, then you need to modify the /etc/ssh/sshd_config on the NCM. The other way is to lock down the /etc/ssh/ssh_config on the ISE but this method will require TAC to root into the ISE and make the configuration chance.

Re: Identity Services Engine (ISE)

Arne Bier — Sun, 18 Feb 2024 20:30:52 GMT

If the ISE CLI does not tell you much more (e.g. you can enable a debug and then run a show repo),

debug transfer 7 show repo MyRepoName

then run a tcpdump on that node and analyse the TCP handshake in wireshark.

You'll need a TAC case to access any of the Linux /etc files if that is indeed the solution to your problem.

Re: Identity Services Engine (ISE)

RS19 — Sun, 18 Feb 2024 23:57:49 GMT

The ISE which is used is Windows based system. In this scenario where should I check the settings ?

Re: Identity Services Engine (ISE)

Arne Bier — Mon, 19 Feb 2024 00:09:35 GMT

You're using NCM (Network Configuration Manager) from Solarwinds to run an SFTP server - that runs on Windows. Ok. I am not too familiar with NCM, but the NCM system I have access to has a very primitive SFTP implementation. I don't see any nerd knobs to change much. All you can do is add user accounts and set a common base directory.

Perhaps consider using a more capable SFTP implementation - e.g. Linux

Re: Identity Services Engine (ISE)

RS19 — Mon, 19 Feb 2024 01:55:43 GMT

sorry ignore the above

Re: Identity Services Engine (ISE)

RS19 — Mon, 19 Feb 2024 06:00:08 GMT

I am tyring to take hte configuration datta backup of the Cisco ISE to Device Expert NCM using SFTP.
If fails.
In NCM there are many Key EXchanges allowed. When all the Key exchanges are selected at the NCM side the backup of ISE > NCM is successful.
But as per secutiy only specific key exchanges needs to be allowed.

Re: Identity Services Engine (ISE)

RS19 — Mon, 19 Feb 2024 06:09:39 GMT

I did the command show repo "myreponame"
Got the error that %Error: Repository myreponame could not be accessed. In case Backup was Restored on different setup, Please reconfigure the repository (expected behaviour)

Re: Identity Services Engine (ISE)

RS19 — Mon, 19 Feb 2024 06:10:11 GMT

I am taking the configuration back up of ISE

Re: Identity Services Engine (ISE)

ahollifield — Mon, 19 Feb 2024 13:30:00 GMT

So did you restore? Is this is a new setup?

Re: Identity Services Engine (ISE)

adamscottmaster2013 — Mon, 19 Feb 2024 20:14:58 GMT

@RS19: it is using one of the following algorithms:

Kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

Now if you want to be sure which one is using, start removing one of these at the times and restart the sshd daemon on the NCM, I assume that it is Linux, then test again from the ISE using "show repository". Keep removing enough until it fails. When it fails, that's your answer.

Re: Identity Services Engine (ISE)

Arne Bier — Mon, 19 Feb 2024 20:51:53 GMT

First, get a warm fuzzy feeling that the comms to the repo is working. I would do the following.

place any file in the directory to which the repo is pointing (e.g. a text file)
check in the ISE CLI that you can see the file when you issue the CLI command "show repo myreponame"
If that fails, then re-run the same command with debug enabled - the debug command is "debug transfer 7"
Failing that, go back into ISE GUI and re-configure the repo password - and then set the same password in the NCM for that user account

if all that doesn't work, then you have a deeper issue. Perhaps try FTP instead of SFTP to see if you have any better luck (although FTP uses different TCP ports to SFTP)

Some ISE versions were a bit buggy with regards to SFTP - what version are you running and what patch level?