03-06-2018 11:39 AM
Hello Guys and Gals,
I have a question in regards to supported ISE Ciphers...
To make a long story short we are unable to save to our repository since we migrated over to our new Toolbox Server. The TAC engineer stated that ciphers were at fault here so we are asking if ISE supports the following ciphers:
srmcucsisepanad01/admin# ssh 10.32.3.11 NetOpsFTP Unable to negotiate with 10.32.3.11 port 22: no matching cipher found. Their offer: aes128-ctr,aes192-ctr,aes256-ctr
Is there a way we can add these ciphers to ISE? If not can we have a list of ciphers that are supported so we can adjust on our end.
Thanks,
-Robert
Solved! Go to Solution.
03-06-2018 12:39 PM
I believe you are hitting this known issue -- CSCum13116
Please work with Cisco TAC and see if it helps by adding the ciphers in ISE temporarily.
03-06-2018 12:39 PM
I believe you are hitting this known issue -- CSCum13116
Please work with Cisco TAC and see if it helps by adding the ciphers in ISE temporarily.
12-19-2018 08:00 PM
Hi @hslai and rob.alvarado@live.com
My customer ran into this same issue. Their SFTP server is a Microsoft box running OpenSSH. I was able to reproduce this in the lab using the Windows 10 SFTP implementation (which now come free with Windows 10)
Incidentally, I have never seen this issue with Linux based SSHD implementations (because I assume they leave a lot of the legacy ciphers enabled).
I tested this in my lab and the only change I made to my Windows OpenSSH sshd_config file was to add the line below – it leaves the other ciphers in place and only ADDs one more (for ISE)
ciphers +aes256-cbc
I did enable the debugging command too
LogLevel DEBUG
Because this was a fresh install, I didn’t change any other lines of the config file.
By the way, I found two config files in two different locations! Don’t be fooled – the one that the Windows Service uses (in my case) was here
C:\ProgramData\ssh\sshd_config
And you should be able to view the log (very useful when combined with the DEBUG level enabled)
C:\ProgramData\ssh\logs\sshd.log
08-31-2021 08:45 PM
Hi all,
Just wanted to share how I resolved the issue with the help from Cisco TAC.
First of all, SFTP works like SSH using port 22. If SFTP does not work, ssh will not work either.
Accidentally I found my secondary node had no issue with ssh. That prompt me to what the difference of ssh settings between between these two nodes, I found the only difference is the following line is missing on the ssh_config on the primary node.
# Ciphers aes127-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
After adding the above line, saving the file, restarting the sshd service, ssh started to work, and SFTP also works from then.
To change the ssh_config file, you will need Cisco TAC's help to install two special patches to allow you to get into root access.
If you have already enabled root access, then do the the following steps:
1. Cisco-ISE-ABC#root
type the password you set up when enabling root access,
2. ade#cd /etc/ssh
vi ssh_config
3. add the line below to the file right under line 41 without #. I guess this can be anywhere around that area as they are all commented.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
4. Save the change and restart the sshd service with the command below:
systemctl restart sshd
Test your ssh access and sftp, you will be happy again.
12-20-2018 05:42 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide