Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18415
Views
17
Helpful
12
Replies

Repository Validated on Cisco ISE GUI ,backup is working is fine But CLI is throwing error repository could not be accessed

Go to solution
kamil.alam
Level 1
Level 1

‎10-25-2019 02:33 PM - last edited on ‎03-13-2020 04:04 PM by Community Manager

Hello Community Member,

 

I need quick resolution on 1issue, we were running Cisco ISE 2.6 version on SNS hardware &  we tried patch update from PAN node however for 1 node it shows not installed on the status. Is there any way we can install node via GUI (Disturbed Deployment)

 

Hence we were trying to install the patch via SFTP, SFTP is validated on GUI but CLI state repository can`t be accessed.

Since SFTP is solwarwind application we can`t amend the host key. Please suggest earliest

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Sang1

‎04-27-2020 10:41 PM - edited ‎04-27-2020 10:42 PM

Likely this is because the key pair generated earlier is for “root” and good for ISE admin web access only and because the ISE admin CLI is under the logged-in “admin” CLI user. Thus, we need to generate a separate key-pair for ISE admin CLI use. For example,

Generate the key-pair for ISE CLI admin and export it to the repository ftpAdminRW.

ise-1/admin# crypto key generate rsa passphrase myPass4FTP
ise-1/admin# crypto key export adminRSAkey repository ftpAdminRW

 

View solution in original post

12 Replies 12

Go to solution
Rob Ingram
VIP
VIP

‎10-25-2019 02:39 PM

Hi,

You need to add the host key from the CLI of ISE.

  • Login to the CLI of the ISE node
  • From the EXEC prompt, type crypto host_key add host

 Also check out the first section of this guide this should help you.

 

HTH

 

 

0 Helpful

Go to solution
kamil.alam
Level 1
Level 1
In response to Rob Ingram

‎10-25-2019 02:42 PM

The problem is repository is Solarwind SFTP , we can`t import host key. The strange part is from GUI repository is validated and backup is worked as excepted.

Since we had install the patches via CLI The repository is getting and i can`t install the patch. I have transferred file to SFTP server using Winscp
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to kamil.alam

‎10-25-2019 02:49 PM

You don't import the host key in the Solarwinds application, you just need to import the host key using the ISE CLI on each of the ISE nodes. Why not just upload on the ISEE GUI? - Navigate to Administration > Maintenance > Patch Management on the PAN and upload the patch file.

Go to solution
kamil.alam
Level 1
Level 1
In response to Rob Ingram

‎10-25-2019 10:26 PM

How to import the host-key using command. Through GUI patch got pushed and node got installed with patch 1 however it got failed for 1node thats why i am using CLI to install the patch

@Rob Ingram wrote:
You don't import the host key in the Solarwinds application, you just need to import the host key using the ISE CLI on each of the ISE nodes. Why not just upload on the ISEE GUI? - Navigate to Administration > Maintenance > Patch Management on the PAN and upload the patch file.

 

0 Helpful

Go to solution
Sang1
Level 1
Level 1
In response to kamil.alam

‎04-02-2020 07:00 AM

Hi kamil,

did you get a solution for your issue? I have got a similar situation.

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to Sang1

‎04-02-2020 04:35 PM

The ISE Administrator Guide's section for Create Repositories is pretty clear on the steps and needed with an SFTP repository :

-----

You can use the CLI and GUI to create repositories. We recommend that you use the GUI due to the following reasons:

  • Repositories that are created through the CLI are saved locally and do not get replicated to the other deployment nodes. These repositories do not get listed in the GUI’s repository page.

  • Repositories that are created on the Primary PAN get replicated to the other deployment nodes.

The keys are generated only at the Primary PAN on GUI, and so during upgrade you need to generate the keys again at GUI of new primary admin and export it to the SFTP server. If you take the nodes out of the deployment, you need to generate the keys on GUI of non-admin nodes and export it to the SFTP server.

You can configure an SFTP repository in Cisco ISE with RSA public key authentication. Instead of using an administrator-created password to encrypt the database and logs, you can choose the RSA public key authentication that uses secure keys. In case of SFTP repository created with RSA public key, the repositories created through the GUI do not get replicated in the CLI and the repositories created through the CLI do not get replicated in the GUI. To configure same repository on the CLI and GUI, generate RSA public keys on both CLI and GUI and export both the keys to the SFTP server.

Before you begin

  • To perform the following task, you must be a Super Admin or System Admin.

  • If you want to create an SFTP repository with RSA public key authentication, ensure that you:

    • Enable RSA public key authentication in the SFTP repository.

    • Enter the host key of the SFTP server from the Cisco ISE CLI using the crypto host_key add command. The host key string should match the hostname that you enter in the Path field of the repository configuration page.

    • Generate the key pairs and export the public key to your local system from the GUI. From the Cisco ISE CLI, generate the key pairs using the crypto key generate rsa passphrase test123 command, where, passphrase must be greater than four letters, and export the keys to any repository (local disk or any other configured repository).

    • Copy the exported RSA public key to the PKI-enabled SFTP server and add it to the "authorized_keys" file.

Go to solution
Sang1
Level 1
Level 1
In response to thomas

‎04-03-2020 12:35 AM

Hi Thomas,
thank you very much for your quick reply. I created the repository allready on the GUI. Validate is success too. I had use the "crypto host-key add" command. I can create Backups via GUI to the sftp Server (Winsolar/ with encryption Key) and i can see the Files from the ISE GUI, but when i tried a restore from the GUI it false.

On the CLI i get the following answer:

ise01/admin# sh repo Backup
% Error: Repository Backup could not be accessed. In case Backup was Restored on different setup, Please reconfigure the repository passwords (expected behaviour).
% SSH connect error


%% Operation restore status
%% ------------------------
% No data found. Try 'show restore history' or ISE operation audit report
cise01/admin# show restore status
%% Configuration restore status
%% ----------------------------
% backup name: ise_backup-CFG10-200401-0200.tar.gpg
% repository: Backup
% start date:
% scheduled: no
% triggered from: Admin web UI
% host:
% status: Restore failed: copy from repository failed

I had changed the repository password, but it did not work. So i had deleted and create the repository again, with the same result.
Do you have any other ideas?
Many thanks in advance

 

0 Helpful

Go to solution
EdoukouMelaine81749
Level 1
Level 1
In response to Sang1

‎04-24-2020 06:40 AM

Hi @Sang1,
I'm beginner and i have the same issue. have you find any solution? Thank in advance for sharing if yes
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Sang1

‎04-27-2020 10:41 PM - edited ‎04-27-2020 10:42 PM

Likely this is because the key pair generated earlier is for “root” and good for ISE admin web access only and because the ISE admin CLI is under the logged-in “admin” CLI user. Thus, we need to generate a separate key-pair for ISE admin CLI use. For example,

Generate the key-pair for ISE CLI admin and export it to the repository ftpAdminRW.

ise-1/admin# crypto key generate rsa passphrase myPass4FTP
ise-1/admin# crypto key export adminRSAkey repository ftpAdminRW

 

Go to solution
anilraj_003
Level 1
Level 1
In response to hslai

‎10-15-2024 09:46 PM

Good explanation, but still gui validation work not cli.

0 Helpful

Go to solution
kamil.alam
Level 1
Level 1
In response to Sang1

‎04-25-2020 06:38 AM

Yes, by restarting of ise application resolved the issue. Try once & let me know

Go to solution
andynguyen01
Level 1
Level 1

‎05-14-2021 05:59 AM - edited ‎05-14-2021 06:05 AM

Hi,

I got the same error message. 

SOLUTION FOR MY CASE:  Upgraded SCP/SFTP server to newer version.  I am using SolarWinds SCP/STFP FREE version on Solarwinds website.   

Hope this help. 

0 Helpful
Customers Also Viewed These Support Documents