topic I am trying to add an SFTP in Network Access Control

How do I enable "Host-key" for my sftp server on ISE?

RSundstrom — Mon, 11 Mar 2019 04:13:39 GMT

Hello,

I am having trouble copying my ISE 1.2 upgrade files to my local repositories.

Here is a cut and paste from my CLI on one of my ISE nodes after attemtping to copy from my workstation (running an SFTP server) to one of my ISE nodes.

XXX-ise-01/admin# Copy sftp://<My_SFTP_Server_IP_Address>/ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz. disk:/

Username: Admin

Password:

% ERROR : Backup failed due to one of the following reasons

1. host-key option is not configured

2. host key is removed because of re-image

3. host key is removed from some other repository having same ip/hostname

% Please reconfigure the host-key option

% Error: Transfer failed

I have not configured anything with the "Host-Key" option.

I have googled and searched but can only find limited references to the "Host-key" command within Cisco. I have tried various forms of this on the ISE node with no luck.

I tried an FTP transfer but that did not work.

Any ideas?

How do I enable "Host-key" for my sftp server on ISE?

Tarik Admani — Mon, 30 Dec 2013 23:52:09 GMT

You may want to try adding a this repository to your local configuration as an sftp server as that should start the host-key process.

Thanks,

Tarik Admani
*Please rate helpful posts*

How do I enable "Host-key" for my sftp server on ISE?

Naresh Ginjupalli — Tue, 31 Dec 2013 01:50:34 GMT

HI Robert,

The other option is to configure SFTP repository and local repository in ISE from CLI and get it downloaded to local repository.

The example of configuring sftp repository with in ISE from CLI is as follows:

When configuring url sftp: in the submode, you must provide the host-key under repository configuration through CLI and the RSA fingerprint is added to the list of SSH known hosts.

To disable this function, use the no form of host-key host command in the submode.

Cisco ISE displays the following warning when you configure a secure ftp repository in the administration user interface in Administration > System > Maintenance > Repository > Add Repository.

The host key of the SFTP server must be added through the CLI by using the host-key option before this repository can be used.

A corresponding error is thrown in the Cisco ADE logs when you try to back up into a secure FTP repository without configuring the host-key.

Example 1

ise/admin# configure termainal

ise/admin(config)# repository myrepository

ise/admin(config-Repository)# url sftp://ise-pap

ise/admin(config-Repository)# host-key host ise-pap

host key fingerprint added

# Host ise-pap found: line 1 type RSA

2048 f2:e0:95:d7:58:f2:02:ba:d0:b8:cf:d5:42:76:1f:c6 ise-pap (RSA)

ise/admin(config-Repository)# exit

ise/admin(config)# exit

ise/admin#

Example 2

ise/admin# configure termainal

ise/admin(config)# repository myrepository

ise/admin(config-Repository)# url sftp://ise-pap

ise/admin(config-Repository)# no host-key host ise-pap

ise/admin(config-Repository)# exit

ise/admin(config)# exit

ise/admin#

How do I enable "Host-key" for my sftp server on ISE?

RSundstrom — Thu, 02 Jan 2014 16:33:03 GMT

Hello,

I configured the host-key option as you suggested and it apparently worked well. I still am having troubles transferring the upgrade file to the ISE local disk.

I am entering this command on the ISE CLI...

XXX-ISE-01/admin# copy sftp://SFTP_Server_IP_Address/ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gZ disk:/

The response I get from ISE is this...

XXX_ISE-01/admin# copy sftp://SFTP_Server_IP_Address/ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gZ disk:/

Username: AdminUserName

Password:

% Error: Transfer failed

(The SFTP_Server_IP_Address is the IP address of my desktop which is running an SFTP server. The file to be transferred is located on the root of the sftp server.)

There is about a 60 second pause from the point at which I enter my password and click "Enter" and the point at which it comes up with the "% Error: transfer failed" message.

After I attempt the file transfer I enter the "show repo local" command on the ISE CLI there is the file name shown but when I enter the "dir" command the file shows that it has a file size of 0 (zero).

I have no firewalls between my desktop SFTP server and the ISE node.

Any ideas?

Re: How do I enable "Host-key" for my sftp server on ISE?

Tarik Admani — Thu, 02 Jan 2014 19:45:46 GMT

I was wondering why the last character is capitalized. Also are you able to copy files from the disk file over to the same repository. I havent had any problems and I see in a seperate thread that the user gave other directions on how to transfer the file.

If you can open two ssh connection and try to run the following command to tail the logs:

"show logging system ade/ADE.log tail"

You should get some messaging behind the error you are receiving, for example I went to look for a file that did not exist (even though I am using ftp you should get the same error).

Here is when the transfer fails:

2014-01-02T13:41:22.506519-06:00 ise01 ADE-SERVICE[4786]: [30325]:[info] transfe

r: cars_xfer.c[264] [tadmani]: ftp copy in of ftp://172.16.249.1/test requested

2014-01-02T13:41:22.522470-06:00 ise01 ADE-SERVICE[4786]: [30325]:[error] transf

er: cars_xfer_util.c[349] [tadmani]: curl error: FTP: couldn't retrieve (RETR fa

iled) the specified file

2014-01-02T13:41:22.523040-06:00 ise01 ADE-SERVICE[4786]: [30325]:[error] copy:

cm_copy.c[1144] [tadmani]: local file disk:/ transfer from url ftp://172.16.249.

1/test failed retcode=-302

2014-01-02T13:41:22.527148-06:00 ise01 ADEOSShell[30325]: ADEAUDIT 3017, type=CO

PY, name=COPY IN FILE FAILED, username=tadmani, cause=Error while copying file f

rom remote system, adminipaddress=172.16.247.12, interface=CLI, detail=Disk file

disk:/ transfer from url ftp://172.16.249.1/test failed

Here is when login fails:

curl error: FTP: login denied

Here is some logging around a successful transfer -

2014-01-02T13:44:46.897499-06:00 ise01 ADE-SERVICE[4786]: [30766]:[info] transfe

r: cars_xfer.c[264] [tadmani]: ftp copy in of ftp://172.16.249.1/running-config

requested

2014-01-02T13:44:46.934972-06:00 ise01 ADEOSShell[30766]: ADEAUDIT 2042, type=CO

PY, name=COPY FILE, username=tadmani, cause=Copied a file, adminipaddress=172.16

.247.12, interface=CLI, detail=Copied disk file disk:/ from url ftp://172.16.249

.1/running-config successfully

Thanks,

Tarik Admani
*Please rate helpful posts*

How do I enable "Host-key" for my sftp server on ISE?

RSundstrom — Thu, 02 Jan 2014 20:49:24 GMT

Hello Tarik,

I have tried all these things without success. I am going to open a case with Cisco TAC. I will update this thread when I am successful.

Thank you,

Bob

How do I enable "Host-key" for my sftp server on ISE?

RSundstrom — Tue, 07 Jan 2014 20:19:05 GMT

Hello again Tarik,

I was still unsuccessful with my file transfer using SFTP. Because of time restraints I used FTP to get the file transferred.

One of the mistakes I was making was in my understanding of the CLI programming for the repository. First, to create a repository when upgrading to Version 1.2 you can only use the CLI to accomplish this. You cannot use the Create Repository location on the UI.

When creating a repo you will enter...

isebox01/admin(config)# repository SFTP

In the above line the SFTP does not refer to the protocol to be used at all. It simply is naming the repo.

isebox01/admin(config)# user cisco password plain C1sc0123

isebox01/admin(config)# url sftp:172.17.1.7

In the above line the protocol to be used is now named. It is sftp. If you wanted to use FTP you would have entered ftp here.

Thank you all for your help,

I hope this helps the next admin.

Bob

How do I enable "Host-key" for my sftp server on ISE?

RSundstrom — Fri, 17 Jan 2014 21:04:38 GMT

I was finally successful in creating a functioning SFTP repository. Here is what I had to do...

On my SFTP server on my workstation I deleted all my user accounts and created one new user.

Next. I went to the ISE UI and deleted the SFTP repository that I had been using.

Next. I went to the ISE GUI and deleted the same SFTP repo again.

Next. I created a new repo in the ISE GUI and pointed it at the SFTP server in my desktop workstation.

Next. I went to the ISE CLI and from the # prompt I added the crypto host-key add "IP_Address_of_workstation".

This finally got the job done.

Basically, I had to delete everything and re-enter it along with the crypto host-key add command.

I hope this helps someone!

Tarik, thank you for your help,

Bob

I am trying to add an SFTP

kylerossd — Thu, 03 Mar 2016 18:15:19 GMT

I am trying to add an SFTP Repository in ISE 2.0 patch 2. I create the repo in the GUI, then went to the CLI to add the host key. If I use hostname or IP Address I get the same error.

ISE/admin# crypto host_key add host sftp-server
7 [27143]:[debug] locks:file: lock.c[384] [admin]: obtained ssh-pubkey lock
7 [27143]:[debug] locks:file: lock.c[390] [admin]: INVOKED: releasing ssh-pubkey lock
7 [27143]:[debug] locks:file: lock.c[419] [admin]: released ssh-pubkey lock
7 [27143]:[debug] locks:file: lock.c[384] [admin]: obtained ssh-pubkey lock
%host-key add failed
3 [27143]:[error] config:repository: crypto_cli.c[1310] [admin]: host-key add failed
7 [27143]:[debug] locks:file: lock.c[390] [admin]: INVOKED: releasing ssh-pubkey lock
7 [27143]:[debug] locks:file: lock.c[419] [admin]: released ssh-pubkey lock

As well, in ISE 2.0 you cannot put the key under the repo itself, it all under exec mode.

ISE/admin(config)# repository SFTP-BACKUP
% Warning: Host key of the server must be added using 'crypto host_key add' exec command before sftp repository can be used.
ISE/admin(config-Repository)# ?
Configure Repository:
do EXEC command
end Exit from configure mode
exit Exit from this submode
no Negate a command or set its defaults
url Configure Repository URL
user Configure repository username and password for access

Time and timezone are perfect. Anyone know why it is failing?