cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5379
Views
10
Helpful
8
Replies

ISE 2.3 Patch 4 SFTP Repository SSH issue.

vseward
Level 1
Level 1

I have created a new SFTP repository on a ISE 2.3 Patch 4 primary admin node both in the CLI and GUI and run the 

Crypto host-key add host URL_of_SFTP server

And I get the error below when I try to validate the repository.  What did I miss for the config?

Repository validation failed due to error - SSH connect error. Verify configuration

 

 

2 Accepted Solutions

Accepted Solutions

That's ISE saying it will only use aes256-cbc or aes128-cbc. I don't know of any way to adjust the ISE chiper set, but this is certainly supported and modifiable in your Redhat Linux. My Linux skills are rusty, but I think I would start in /etc/ssh/sshd_config.

There should be a ciphers line that you can modify to include the two being suggested by ISE. It would appear that your new version of RHEL changed the default from the sshd man page or someone modified the default. If aes256-cbc and aes128-cbc are still in there then you might have something else handling this connection.


From the sshd man page:

Ciphers
Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The supported ciphers are ''3des-cbc'', ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'', ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'', ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''. The default is:

aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour

View solution in original post

hslai
Cisco Employee
Cisco Employee

Known limitation -- CSCum13116

View solution in original post

8 Replies 8

howon
Cisco Employee
Cisco Employee

Have you configured the SFTP server to accept request from the ISE node? Also, check the ADE log (show logging system ade/ADE.log) for more information on why it failed.

Are you using the Microsoft version of OpenSSH SFTP server by any chance?  It's an option in Windows10 and I suppose in some of the Server variants too, since Microsoft historically didn't support SFTP in its IIS server.  In that case you need to fiddle around with the allowed cipher suites.  ISE is a bit limited and it does not support CTC ciphers support - and you may have to tell your SFTP server to support some legacy ciphers like aes256-cbc,aes128-cbc etc.

The SFTP Server logs will probably reveal your problem.

The SFTP server is Redhat 7.5 and the error in its log is. 

Unable to negotiate with X.X.X.X port 48745: no matching cipher found. Their offer: aes256-cbc,aes128-cbc

That's ISE saying it will only use aes256-cbc or aes128-cbc. I don't know of any way to adjust the ISE chiper set, but this is certainly supported and modifiable in your Redhat Linux. My Linux skills are rusty, but I think I would start in /etc/ssh/sshd_config.

There should be a ciphers line that you can modify to include the two being suggested by ISE. It would appear that your new version of RHEL changed the default from the sshd man page or someone modified the default. If aes256-cbc and aes128-cbc are still in there then you might have something else handling this connection.


From the sshd man page:

Ciphers
Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The supported ciphers are ''3des-cbc'', ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'', ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'', ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''. The default is:

aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour

hslai
Cisco Employee
Cisco Employee

Known limitation -- CSCum13116

Thanks for sharing that. Good to know it's tracked, hopefully it makes it in to a future release.

pan
Cisco Employee
Cisco Employee

What do you see if you take capture on ISE for SFTP server? Is three way handshake getting completed?

Mike.Cifelli
VIP Alumni
VIP Alumni

So I posted this in another post relating to scp ISE issues.  See below, this may help you out:

Use this link to setup remote sftp linux repo:

https://www.howtoforge.com/tutorial/how-to-setup-an-sftp-server-on-centos/

 

Don't forget to add the key to ISE:

ise/admin# configure terminal
ise/admin(config)# repository myrepository
ise/admin(config-Repository)# url sftp://ise
ise/admin(config-Repository)# host-key host ise

 

On your server you may see the following errors:

sshd[18546]: fatal: bad ownership or modes for chroot directory "/data/ise" [postauth]

sshd[18351]: fatal: no matching cipher found: client aes256-cbc,aes128-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com server aes128-ctr,aes192-ctr,aes256-ctr [preauth]

 

Double check ownership on your directories you are writing to or pulling from. Also, if you need to tweak ciphers modify your sshd_config.

 

Or if you want to use ftp you can do so this way (process should be similar even if attempting to use SCP):

make sure you create local repo
#conf t
#repository REPO
##url disk:

 

copy ftp://XXXXX/FILENAME disk:/

delete FILE disk:/

 

HTH!