cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

702
Views
0
Helpful
5
Replies
RD77
Beginner

Cisco ISE SFTP backup issue

Hi,

We try to run a backup from an ISE v3.0p5 with an SFTP server.

When I try to add the SFTP key with "crypto host_key add host x.x.x.x", the key is not fetched.

 

When I try to ssh to the SFTP server, I get the following: 

ise-01/admin# ssh x.x.x.x backup
Operating in CiscoSSL FIPS mode
FIPS mode initialized
Unable to negotiate with x.x.x.x. port 22: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519

 

I also made a tcpdump and I can see tha the ISE tries to negociate with:

server_host_key_algorithms: ssh-rsa

Where the server replies with:

server_host_key_algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519

 

From what I understand the server refuses the server_host_key_algorithms since the key of the ISE server is ssh-rsa.

Is it possible to generate a stronger key for the ISE server ?

Is it the default for ISE?

Thanks

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Rob Ingram
VIP Expert

@RD77 I don't think it's possible to reconfigure ISE to use different SSH ciphers, previously I've had to reconfigure the sftp server to support the ciphers ISE supports.

View solution in original post

5 REPLIES 5
balaji.bandi
VIP Guru
<