cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

787
Views
7
Helpful
3
Replies

Supported Ciphers for ISE repository

Hello Guys and Gals,

I have a question in regards to supported ISE Ciphers...

To make a long story short we are unable to save to our repository since we migrated over to our new Toolbox Server. The TAC engineer stated that ciphers were at fault here so we are asking if ISE supports the following ciphers:

srmcucsisepanad01/admin# ssh 10.32.3.11 NetOpsFTP Unable to negotiate with 10.32.3.11 port 22: no matching cipher found. Their offer: aes128-ctr,aes192-ctr,aes256-ctr

Is there a way we can add these ciphers to ISE? If not can we have a list of ciphers that are supported so we can adjust on our end.

Thanks,

-Robert

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Supported Ciphers for ISE repository

I believe you are hitting this known issue -- CSCum13116

Please work with Cisco TAC and see if it helps by adding the ciphers in ISE temporarily.

View solution in original post

3 REPLIES 3
Cisco Employee

Re: Supported Ciphers for ISE repository

I believe you are hitting this known issue -- CSCum13116

Please work with Cisco TAC and see if it helps by adding the ciphers in ISE temporarily.

View solution in original post

Highlighted
VIP Advocate

Re: Supported Ciphers for ISE repository

Hi @hslai and rob.alvarado@live.com

 

My customer ran into this same issue.  Their SFTP server is a Microsoft box running OpenSSH.  I was able to reproduce this in the lab using the Windows 10 SFTP implementation (which now come free with Windows 10)

 

Incidentally, I have never seen this issue with Linux based SSHD implementations (because I assume they leave a lot of the legacy ciphers enabled).

 

I tested this in my lab and the only change I made to my Windows OpenSSH sshd_config file was to add the line below – it leaves the other ciphers in place and only ADDs one more (for ISE)

ciphers +aes256-cbc

 

I did enable the debugging command too

LogLevel DEBUG

 

Because this was a fresh install, I didn’t change any other lines of the config file.

 

By the way, I found two config files in two different locations!   Don’t be fooled – the one that the Windows Service uses (in my case) was here

C:\ProgramData\ssh\sshd_config

 

And you should be able to view the log (very useful when combined with the DEBUG level enabled)

C:\ProgramData\ssh\logs\sshd.log

 

 

 

Spoiler
When is this going to be fixed in ISE??

 

 

Everyone's tags (3)
Cisco Employee

Re: Supported Ciphers for ISE repository

aes-256-cbc, aes-128-cbc are for sure supported. Rest other ciphers change from version to version. To answer your question whether or not you can specify what cipher to use on the ISE, you cannot. @hslai has already provided the bug id filed for this issue.