10-17-2018 02:11 AM
Hi Guys,
In customer VA/PT it is been found that ISE 2.3P4 is using weak cipher (aes-128-cbc & aes-256-cbc) for SSH and now Cisco is asked back to disable these cipher and enable aes-128-ctr and aes-256-ctr.
We tested in lab environment, it works with SecureCRT8.5.1, however, question is:
If i give this solution to customer, and in future any issue come and customer reaches to Cisco, will Cisco provide support in this case, as don't see this kind practice to change the things in root access?
Many Thanks,
Regards,
Jay
Solved! Go to Solution.
10-17-2018 07:46 AM
If it was changed using the regular CLI, using following command then it is supported. Following command is available with ISE 2.4p4:
ise/admin(config)# service sshd encryption-algorithm ?
aes128-cbc Configure aes128-cbc algo
aes128-ctr Configure aes128-ctr algo
aes256-cbc Configure aes256-cbc algo
aes256-ctr Configure aes256-ctr algo
10-17-2018 07:46 AM
If it was changed using the regular CLI, using following command then it is supported. Following command is available with ISE 2.4p4:
ise/admin(config)# service sshd encryption-algorithm ?
aes128-cbc Configure aes128-cbc algo
aes128-ctr Configure aes128-ctr algo
aes256-cbc Configure aes256-cbc algo
aes256-ctr Configure aes256-ctr algo
10-21-2018 02:41 AM - edited 10-21-2018 02:42 AM
Adding to Hosuk's, CSCux88538 is resolved in ISE 2.4, ISE 2.3 Patch 3, 2.2.1 Patch 1, and 2.2 Patch 7 to provide such options:
myISE22/admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
myISE22/admin(config)# service sshd ?
enable Enable sshd service
encryption-algorithm Configure SSH encryption algorithms. supported algorithms are a
encryption-mode Configure SSH encryption mode on system. Supported modes are cb
key-exchange-algorithm Specify allowable key exchange algorithms for sshd service
loglevel Log level of messages from sshd to secure system log
myISE22/admin(config)# service sshd encryption-mode ?
cbc Configure cbc cipher suites (aes128-cbc and aes256-cbc)
ctr Configure ctr cipher suites (aes128-ctr and aes256-ctr)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide