cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4911
Views
15
Helpful
5
Replies
Highlighted

SFTP transfer from Linux to ISE repository

I have set up an sftp server on a RHEL 6 machine. The usual command at the ISE CLI of:

copy sftp://<sftp server address>/<upgrade file to 2.4> disk:/disk2:/

does not work and replies with the error message of:

[error] sftp_read Error: read failed

[debug] sftp parent status -306

[error] SFTP get error: No such file or directory (The file name was copy and pasted directly to the command line)

The disk:/ repository has these characteristics:

Protocol: disk, Host: none, Path /

The disk2:/ repository has these characteristics:

Protocol: sftp, Host: <sftp server address>, Path /

I am thinking that I have not done some preliminary steps that I find here:

"Create Repositories

...

Before you begin

  • To perform the following task, you must be a Super Admin or System Admin.
  • If you want to create an SFTP repository with RSA public key authentication, ensure that you: 
    • Enable RSA public key authentication in the SFTP repository. See  Enable RSA Public Key Authentication in SFTP Repository  for information. 
    • Enter the host key of the SFTP server from the Cisco ISE CLI using the  crypto host_key add command. The host key string should match the hostname that you enter in the Path field of the repository configuration page. 
    • Generate the key pairs and export the public key to your local system from the GUI. From the Cisco ISE CLI, generate the key pairs using the  crypto key generate rsa passphrase   test123 command, where, passphrase must be greater than four letters, and export the keys to any repository (local disk or any other configured repository). 
    • Copy the exported RSA public key to the PKI-enabled SFTP server and add it to the "authorized_keys" file."

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010…

I have completed the "Enable RSA public key authentication in the SFTP repository.", but the rest assumes that I have done this a lot. Can anyone provide an interpretation of this? A step by step procedure saying which command line is operated on (RHEL 6 vs ISE) each time would be most helpful. Cisco documentation leaves a lot to be desired here.

Example: "Enter the host key of the SFTP server from the Cisco ISE CLI using the  crypto host_key add command" - Enter the output of this command ... (where? enter it where?) I would  prefer to just use username and password vice the full blown certificate public private method. I just want to get the file into a repository and then remove sftp from the RHEL machine.

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

Re: SFTP transfer from Linux to ISE repository

Sounds quite involved.  In simple terms, if you spin up an SFTP server (whether Linux or Windows based) and you can access it normally via say WinSCP or FileZilla (for the Windows folks ;-) then you're in good shape.

In ISE the process is relatively simple.  If you want to interface with your SFTP server then you can configure one ISE node via the CLI, but then that config only lives on that node, and not replicated to the rest of the deployment.  If, on the other hand, you create the repo in the PAN GUI, then all nodes will have the repo.  BUT - you still need to issue the 'crypto' command on any of the nodes in order to finish off the process (the repo config on its own is not sufficient for sftp!)

sco8834ise400/admin# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

sco8834ise400/admin(config)# repository mysftp

sco8834ise400/admin(config-Repository)# url sftp://10.230.4.2/ConfigBackups
% Warning: Repositories configured from CLI cannot be used from the ISE web UI and are not replicated to other ISE nodes. If this repository is not created in the ISE web UI, it will be deleted when ISE services restart.

sco8834ise400/admin(config-Repository)# user ise password plain mypassword
sco8834ise400/admin(config-Repository)# end
% Warning: Host key of the server must be added using 'crypto host_key add' exec command before sftp repository can be used.

sco8834ise400/admin# crypto host_key add host 10.230.4.2
host key fingerprint added
# Host 10.230.4.2 found: line 1
10.230.4.2 RSA SHA256:iFaGR0xy3agWhimf0Lm7srByl6qG6wUz1gAza9iq6FU

Test the repo with the show command

sco8834ise400/admin# show repository mysftp

View solution in original post

5 REPLIES 5
Highlighted
VIP Advocate

Re: SFTP transfer from Linux to ISE repository

Sounds quite involved.  In simple terms, if you spin up an SFTP server (whether Linux or Windows based) and you can access it normally via say WinSCP or FileZilla (for the Windows folks ;-) then you're in good shape.

In ISE the process is relatively simple.  If you want to interface with your SFTP server then you can configure one ISE node via the CLI, but then that config only lives on that node, and not replicated to the rest of the deployment.  If, on the other hand, you create the repo in the PAN GUI, then all nodes will have the repo.  BUT - you still need to issue the 'crypto' command on any of the nodes in order to finish off the process (the repo config on its own is not sufficient for sftp!)

sco8834ise400/admin# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

sco8834ise400/admin(config)# repository mysftp

sco8834ise400/admin(config-Repository)# url sftp://10.230.4.2/ConfigBackups
% Warning: Repositories configured from CLI cannot be used from the ISE web UI and are not replicated to other ISE nodes. If this repository is not created in the ISE web UI, it will be deleted when ISE services restart.

sco8834ise400/admin(config-Repository)# user ise password plain mypassword
sco8834ise400/admin(config-Repository)# end
% Warning: Host key of the server must be added using 'crypto host_key add' exec command before sftp repository can be used.

sco8834ise400/admin# crypto host_key add host 10.230.4.2
host key fingerprint added
# Host 10.230.4.2 found: line 1
10.230.4.2 RSA SHA256:iFaGR0xy3agWhimf0Lm7srByl6qG6wUz1gAza9iq6FU

Test the repo with the show command

sco8834ise400/admin# show repository mysftp

View solution in original post

Highlighted

Re: SFTP transfer from Linux to ISE repository

@Arne Bier - That got me much closer than before. Here are the results:

admin# show repository mysftp

% SSH connect error

admin# ssh <host address> <user name>

Failed to establish session with <host address>

no matching cypher found with <host address>: client aes256-cbc,aes128-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com server ,aes128-ctr,aes192-ctr,aes256-ctr

Highlighted
VIP Advocate

Re: SFTP transfer from Linux to ISE repository

If you have access to the remote system then have a look at the cipher negotiation.  E.g on a typical Linux distro the /etc/ssh/sshd.conf contains something like this

# Ciphers and keying

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

You can also inspect the sshd log file ( tail -f /var/log/messages  ).  Below is the extract from the remote Linux host when I perform the ssh command from the ISE node.  I don't login - it's just waiting for credentials

2018-06-14T08:16:34.873513+10:00 host123 audispd: node=host123.my.domain type=CRYPTO_SESSION msg=audit(1528928194.857:194012): pid=15624 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes256-cbc ksize=256 mac=hmac-sha2-512 pfs=curve25519-sha256 spid=15625 suid=74 rport=30999 laddr=10.230.4.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=10.230.4.3 terminal=? res=success'

Highlighted
Cisco Employee

Re: SFTP transfer from Linux to ISE repository

Also take a look at CSCum13116

Highlighted

Re: SFTP transfer from Linux to ISE repository

Yes, CSCum13116 is the real answer.