Re: Identity Services Engine (ISE) - Page 2

RS19 · ‎02-16-2024

This is regarding ISE. I am using Manage Engine (NCM) to take the backup of ISE.

In NCM there are many Key EXchanges allowed. When all the Key exchanges are selected at the NCM side the backup of ISE > NCM is successful.
But as per secutiy only specific key exchanges needs to be allowed.

I need to identify which key exchange my ISE is using, so that I can configure the same in the NCM. How to identify it.
Below is the output of show crypto host_keys from ISE, where 10.10.10.10 is the NCM server IP

1024 SHA256:xxxxxxxxxxxxxxxxxdfdfereddredddddd 10.10.10.10 (RSA)

From the above output is it possible to identify which key algorithm is used ?

RS19 · ‎02-18-2024

sorry ignore the above

RS19 · ‎02-18-2024

I did the command show repo "myreponame"
Got the error that %Error: Repository myreponame could not be accessed. In case Backup was Restored on different setup, Please reconfigure the repository (expected behaviour)

ahollifield · ‎02-19-2024

So did you restore? Is this is a new setup?

adamscottmaster2013 · ‎02-19-2024

@RS19: it is using one of the following algorithms:

Kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

Now if you want to be sure which one is using, start removing one of these at the times and restart the sshd daemon on the NCM, I assume that it is Linux, then test again from the ISE using "show repository". Keep removing enough until it fails. When it fails, that's your answer.

RS19 · ‎02-19-2024

Yes this is what I am planing to do. But was thinking is there any better way to do it.

adamscottmaster2013 · ‎02-20-2024

@RS19: Yes, there is a better way to do it.

1- run tcpdump on the ISE: Operations --> Troubleshoot --> Diagnostic Tools --> Tcpdump --> Select the ISE node to want to run tcpdump from

2- perform "show repository repo_name"

3- stop tcpdump and download the .gz file; extract the file and view it in wireshark.

you will see something like what I am seeing below:

Kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

Then just shutoff what you don't want and restart the sshd daemon on the NCM and it should work.

Simple, right?

Arne Bier · ‎02-19-2024

First, get a warm fuzzy feeling that the comms to the repo is working. I would do the following.

place any file in the directory to which the repo is pointing (e.g. a text file)
check in the ISE CLI that you can see the file when you issue the CLI command "show repo myreponame"
If that fails, then re-run the same command with debug enabled - the debug command is "debug transfer 7"
Failing that, go back into ISE GUI and re-configure the repo password - and then set the same password in the NCM for that user account

if all that doesn't work, then you have a deeper issue. Perhaps try FTP instead of SFTP to see if you have any better luck (although FTP uses different TCP ports to SFTP)

Some ISE versions were a bit buggy with regards to SFTP - what version are you running and what patch level?