RCA-2026-03-16-002: Analysis

Root Cause

The Problem

SSH config file structure:

Host *                          # Line ~50 - FIRST MATCH
    PasswordAuthentication no   # Sets this for ALL hosts
    PreferredAuthentications publickey
    ...

Host ise-01 ise-02              # Line ~200 - TOO LATE
    PasswordAuthentication yes  # IGNORED - already set above
    PreferredAuthentications keyboard-interactive,password

SSH Config Processing Rules

SSH config uses first match wins for each option:

  1. SSH reads config top to bottom

  2. For each option, the FIRST value found is used

  3. Later values for the same option are IGNORED

  4. Host * matches everything - if it comes first, it wins

Root Cause Statement

Device-specific SSH authentication settings were overridden by global Host * defaults because the global block appeared before the specific host blocks in the config file.

ISE SSH Limitations

Cisco ISE does NOT support SSH certificates (Vault SSH CA).

ISE is a closed appliance with limited SSH implementation:

  • Pass password authentication

  • Pass Public key authentication (limited)

  • Fail SSH certificates

  • Fail GSSAPI/Kerberos

  • Fail Certificate-based authentication

For ISE, password auth is the only reliable option.