Solved: ISE DH 2048 and safe/random prime number support

wenoonan · ‎11-29-2018

I have a customer that believes they have an enhancement request to submit. They are currently on ISE 2.3 and it appears that 2.3 only supports 1024 for diffie-hellman groups and does not support the use of safe/random prime numbers. They are wondering if this is supported in a later version and if not is it on a roadmap (and when). They are expecting something like toggles in the Admin|System|Settings|Security Settings screen where they could turn on 2048 and safe/random numbers (if those are not the default settings to begin with). Thanks!

Surendra · ‎12-11-2018

You can configure the key algorithm used for SSH on ISE using the command "service sshd key-exhange-algorithm" under configuration mode in the CLI. ISE supports diffie-hellman-group14-sha1 which uses 2048-bit MODP Group.

View solution in original post

hslai · ‎12-16-2018

As Surendra suggested, SSH to ISE admin CLI has the option.

For other areas in ISE is a roadmap item but not high priority due to its breakage on > 1024 deems requiring nation-state resources. If you have other concerns, please discuss with the PM team.

View solution in original post

Surendra · ‎12-11-2018

You can configure the key algorithm used for SSH on ISE using the command "service sshd key-exhange-algorithm" under configuration mode in the CLI. ISE supports diffie-hellman-group14-sha1 which uses 2048-bit MODP Group.

hslai · ‎12-16-2018

As Surendra suggested, SSH to ISE admin CLI has the option.

For other areas in ISE is a roadmap item but not high priority due to its breakage on > 1024 deems requiring nation-state resources. If you have other concerns, please discuss with the PM team.