Another backup failure in Cisco ISE 3.0 & ISE 3.1, even latest patches

adamscottmaster2013 · ‎12-04-2022

Another bug in Cisco ISE version 3.0 and 3.1, even with the latest patch, or it seems like and Ubuntu 22.04.1 LTS

I tried on backup both my ISE 3.0 and ISE 3.1 using PKI instead of password via sFTP and this is what I did:

#1: create a new repository called sFTP_ubuntu
#2: generate a key pairs,
#3: export the public key pairs and put the key on the sFTP server .ssh/authorized_keys file,
#4: use the command "crypto host_key add host sFTP_ubuntu_IP_address,

Everything is good so far. From the command line, when I do "show repository sFTP_ubuntu", I can see all the backup files.

BUT if I go to the Administration --> System --> Backup & Restore and select sFTP_ubuntu repository, it comes back empty.

If I change the authentication from PKI to password, I can see all the backup files from both the UI and CLI.

I really don't want to open a TAC case with Cisco because Cisco TAC engineers are awful lately. I am switching back to password instead of PKI. I didn't see this issue when sFTP server is CentOS.

Greg Gibbs · ‎12-04-2022

The symptoms sound like it could be related to this bug:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb04898

For what it's worth, I have a customer running ISE 3.1p4 with an SFTP server hosted on AWS (Transfer Family) using PKI authentication. The backup works from the GUI and the historic backup files can be seen either from the CLI (show repository) or the GUI (Backup & Restore page), so in general SFTP using PKI auth does work.

adamscottmaster2013 · ‎12-05-2022

@Greg Gibbs : With all due respect, how is the bug related to the issue I am seeing? The account on my Ubuntu sFTP server is a local account. Furthermore, as far as I can tell, it is only centered around Ubuntu 22.0.4 and higher. I didn't see this issue with CentOS 7.x and Ubuntu 20.0.4. sFTP didn't work on the ISE 3.1 until Cisco released patch 4. Therefore, it is definitely an issue with the ISE.

hslai · ‎12-06-2022

@adamscottmaster2013 I tried it with Ubuntu 22.04 Desktop OS as the SFTP server and was able to get it to work with ISE 3.1 Patch 4. I did not notice that it failed when I switched an existing SFTP repository from password to PKI and that it only worked with a new SFTP repository created with PKI enabled.

adamscottmaster2013 · ‎12-07-2022

@hslai : Thank you. With my scenario, it doesn't work entirely even with a new sFTP repository via PKI. It works in the CLI "show repository ubuntu" but not in the UI. I captured the traffic on the SFTP server and it seems the authentication is successful but the ISE server is not retrieving the list of files from the sFTP server.

adamscottmaster2013 · ‎12-07-2022

Forgot to mention that I have two (2) sFTP repository on the ISE. One repo is CentOS7 and the other one is Ubuntu 22.0.4.1 LTS. No issue with CentOS-7, only with 22.0.4.1 LTS. The ISE couldn't retrieve files from Ubuntu when I switch back and forth between CentOS-7 and Ubunto 22.0.4.1 LTS.

hslai · ‎12-13-2022

@adamscottmaster2013 I tried the following 5 Linux distributions and were able to get them all as SFTP repositories for ISE 3.1 Patch 4.

Linux	OpenSSH
Arch - 6.0.12-arch1-1	9.1p1, OpenSSL 3.0.7 1 Nov 2022
Fedora 35 - 6.0.12-100.fc35.x86_64	8.7p1, OpenSSL 1.1.1q FIPS 5 Jul 2022
Fedora 36 - 6.0.12-200.fc36.x86_64	8.8p1, OpenSSL 3.0.5 5 Jul 2022
Gentoo - 5.15.80-gentoo-dist	9.0p1, OpenSSL 1.1.1q 5 Jul 2022
Ubuntu 22.04.1 LTS - 5.15.0-56-generic	8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022

I noticed that only PKI would work if the public keys already added to the SFTP server username's authorized_keys file.

Also note that ISE admin CLI users and web UI are not using the same set of SSH keys.