Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1609
Views
5
Helpful
1
Replies

ISE 2.6 SFTP Repository Public Key authentication for reporting

Paskl95
Level 1
Level 1

‎11-18-2020 05:04 AM

Hi Guys,

I am struggeling with followig topic and maybe someone solved it already.

We have a distributed ISE enviroment. Our goal is to send automatic reports to a central sftp repository. Due to security standards authentication for sftp is only possible via public key.

So far so good. When I export public key from GUI, the repository is accessible from PAN. Also when I excecute a manual report it is working fine.

Somehow automatic reports are sent from one of the monitoring nodes not from the PAN. Exporting to repository always fails. I also tried to generate ssh keypair via CLI directly on the node, but also had no success to export the report.

 

Does anyone had a similar problem?

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎11-23-2020 07:33 AM - edited ‎11-23-2020 07:38 AM

Hello @Paskl95 

 

What SSH server are you using? I was troubleshooting a similar issue today and my sftp server is a CentOS running OpenSSH 

vi /etc/ssh/sshd_config

and then add the line

LogLevel DEBUG3

Save the config file and restart the daemon

systemctl restart sshd

 

The debug logs are found here in CentOS 7

tail -f /var/log/secure

I noticed that ISE was failing to write to the repo when I generated the report because the sftp daemon could not locate the public key that was being sent by ISE (key not found)

 

The solution was to add the ISE CLI public key, as well as the public key exported from the GUI (they are not the same) - notice that for the same ISE node I have a 'admin' public key and 'root' public key. Below is a redacted output from my ~/.ssh/authorized_keys file on my sftp server:

ssh-rsa AAAA**************blah******* admin@ise02
ssh-rsa AAAA**************blah****** root@ise02

I am no expert at this stuff but it's quite rewarding when it does work. And luckily for me I was able to debug the SSH daemon and it was always 100% correct (and also very fussy with file and directory permissions - if these are not to its liking, then it will refuse to work)

chmod 700 ~/

chmod 700 ~/.ssh

chmod 600 ~/.ssh/authorized_keys

 

BTW, I am using ISE 2.6p7 and I am on a standalone node - not quite the same as you - but I think that you might have some luck with the debug ?

 

Customers Also Viewed These Support Documents