Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
213
Views
0
Helpful
4
Replies

Catalyst support for strong key exchange algorithms

tthomas
Level 1
Level 1

‎06-07-2024 09:05 AM

Windows 11 (cli) no longer negotiates ssh with our Cisco C1000 catalyst switches without a work around:
  ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -c aes256-ctr <username>@<ip address>

but after researching, it appears that Microsoft is doing this because the diffie-hellman algorithms are no longer current/secure enough to support.

1. Is there a way to get the C1000 to support more current algorithms that Windows 11 does support natively in the cmd window?
2. Is this only a problem with the C1000 line, in other words, do other catalyst switches support more current algorithms 

Thanks

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎06-07-2024 09:14 AM

check the ciphers support - depends on the version of code you using.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst1000/software/releases/15_2_7_e/configuration_guides/sec/b_1527e_security_c1000_cg/configuring_ssh.html

show ip ssh show you what ciphers supported, use SSH v2

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

tthomas
Level 1
Level 1
In response to balaji.bandi

‎06-07-2024 09:21 AM

Thanks for your quick reply BB.

We are already on ssh v2, and when I do show ip ssh, I only see "KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1"

My main question was - can I add more secure key exchange algorithms to this switch, or are they "baked into" the IOS?  Also, the second part of that was - what catalyst switch would I need to upgrade to in order to be current?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to tthomas

‎06-07-2024 10:58 AM

if you have option to add ciphers as i suggested URL and you get option you can add with the command.

look at  - Restrictions for Configuring Secure Shell

 what catalyst switch would I need to upgrade to in order to be current?

Cat 9200 for Layer 2, Cat 9300 more advanced options.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

tthomas
Level 1
Level 1

‎06-07-2024 10:34 AM

Also, an internal vulnerability scan by an auditor stated that we needed to "Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.".  is there a config change that can require this?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card