Identity Services Engine (ISE)

RS19 · ‎02-16-2024

This is regarding ISE. I am using Manage Engine (NCM) to take the backup of ISE.

In NCM there are many Key EXchanges allowed. When all the Key exchanges are selected at the NCM side the backup of ISE > NCM is successful.
But as per secutiy only specific key exchanges needs to be allowed.

I need to identify which key exchange my ISE is using, so that I can configure the same in the NCM. How to identify it.
Below is the output of show crypto host_keys from ISE, where 10.10.10.10 is the NCM server IP

1024 SHA256:xxxxxxxxxxxxxxxxxdfdfereddredddddd 10.10.10.10 (RSA)

From the above output is it possible to identify which key algorithm is used ?

adamscottmaster2013 · ‎02-16-2024

@RS19: ISE is running either CentOS-7 or CentOS-8 and the configuration is in the /etc/ssh/ssh_config file (you need root to change this). By default, it will send out the followings:

debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@open...

It is up to your NCM to accept or refuse what can be allowed. For example, I only accept these host algorithms on my Linux server:

debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes256-ctr,aes256-gcm@openssh.com
debug2: ciphers stoc: aes256-ctr,aes256-gcm@openssh.com
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha2-512

Therefore, it is up to you to configure on the NCM on what you can accept. On most Linux systems, that would be in the /etc/ssh/sshd_config

Does that make sense?

ahollifield · ‎02-16-2024

ISE is not based on CENTOS. It is based on RHEL.

adamscottmaster2013 · ‎02-17-2024

@ahollifield: It is almost exactly the same. If you look at the /etc/ssh/ssh_config and /etc/ssh/sshd_config file in both CentOS and RHEL, they are both identical.

RS19 · ‎02-17-2024

Thanks for your explanation. But would like to clarify the below.
The below has been enabled in my ISE

1024 SHA256:xxxxxxxxxxxxxxxxxdfdfereddredddddd 10.10.10.10 (RSA)
10.10.10.10 is my NCM server IP address.
In my NCM have enabled as attached.
Irrespective of that it is not working ?

RS19 · ‎02-17-2024

In NCM rsa1024-sha1 is enabled.

RS19 · ‎02-17-2024

In addition, I did SSH to the ISE & I am in /admin#
From this prompt how to check the config file.

ahollifield · ‎02-18-2024

You don’t. ISE config is GUI and API driven.

adamscottmaster2013 · ‎02-18-2024

@RS19: What are you trying to accomplish? Are you trying to ssh/sftp from the NCM to the ISE or are you trying to ssh/sftp from the ISE to the NCM? Please elaborate.

If you're are trying to ssh from the NCM to the ISE and you want to lock down the ISE, you can do this on the ISE:

service sshd enable
service sshd encryption-algorithm aes256-ctr
service sshd encryption-mode ctr
service sshd key-exchange-algorithm ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521
service sshd loglevel 4

Even then, it is not completed. If you want to lock it down further, open a ticket with TAC and they will root into the ISE and lock it down from "/etc/ssh/sshd_config".

If you ssh from the ISE to the NCM, then you need to modify the /etc/ssh/sshd_config on the NCM. The other way is to lock down the /etc/ssh/ssh_config on the ISE but this method will require TAC to root into the ISE and make the configuration chance.

RS19 · ‎02-18-2024

I am tyring to take hte configuration datta backup of the Cisco ISE to Device Expert NCM using SFTP.
If fails.
In NCM there are many Key EXchanges allowed. When all the Key exchanges are selected at the NCM side the backup of ISE > NCM is successful.
But as per secutiy only specific key exchanges needs to be allowed.

I need to identify which key exchange my ISE is using, so that I can configure the same in the NCM. How to identify it.
Below is the output of show crypto host_keys from ISE, where 10.10.10.10 is the NCM server IP

1024 SHA256:xxxxxxxxxxxxxxxxxdfdfereddredddddd 10.10.10.10 (RSA)

ahollifield · ‎02-16-2024

What do you mean by "take the backup of ISE". ISE doesn't support any backup utilities other than the built one which copies the backup files to an external repository. Do you mean you are only having NCM do a "show run" of the CLI?

RS19 · ‎02-18-2024

I am taking the configuration back up of ISE

Arne Bier · ‎02-18-2024

If the ISE CLI does not tell you much more (e.g. you can enable a debug and then run a show repo),

debug transfer 7
show repo MyRepoName

then run a tcpdump on that node and analyse the TCP handshake in wireshark.

You'll need a TAC case to access any of the Linux /etc files if that is indeed the solution to your problem.

RS19 · ‎02-18-2024

The ISE which is used is Windows based system. In this scenario where should I check the settings ?

Arne Bier · ‎02-18-2024

You're using NCM (Network Configuration Manager) from Solarwinds to run an SFTP server - that runs on Windows. Ok. I am not too familiar with NCM, but the NCM system I have access to has a very primitive SFTP implementation. I don't see any nerd knobs to change much. All you can do is add user accounts and set a common base directory.

Perhaps consider using a more capable SFTP implementation - e.g. Linux