service password-encryption | not encrypting all passwords

Unanswered Question
Feb 5th, 2008
User Badges:
  • Silver, 250 points or more

Here is a snip of the config:



routerA#sh ver

Cisco Internetwork Operating System Software

IOS (tm) MSFC2 Software (C6MSFC2-PSV-M), Version 12.1(20)E, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2003 by cisco Systems, Inc.

Compiled Fri 24-Oct-03 20:16 by hqluong

Image text-base: 0x40008F90, data-base: 0x41902000


ROM: System Bootstrap, Version 12.1(11r)E1, RELEASE SOFTWARE (fc1)

BOOTLDR: MSFC2 Software (C6MSFC2-BOOT-M), Version 12.1(20)E, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)


//----snip----//


! Last configuration change at 15:34:17 EST Mon Feb 4 2008 by rmorris

! NVRAM config last updated at 23:48:22 EST Fri Feb 1 2008

!

version 12.1

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

!

enable secret xxx

!

username testuser privilege 15 secret xxx


As you can see the passwords get encrypted, however in the TACACS config it does not:


tacacs-server host 10.1.1.206 key T@[email protected]+

tacacs-server host 10.1.1.207 key T@[email protected]+


In some of our switches we can encrypt.


routerA(config)#tacacs-server ?

administration Start tacacs+ deamon handling administrative messages

attempts Number of login attempts via TACACS

directed-request Allow user to specify tacacs server to use with [email protected]'

dns-alias-lookup Enable IP Domain Name System Alias lookup for TACACS servers

host Specify a TACACS server

key Set TACACS+ encryption key.

packet Modify TACACS+ packet options

timeout Time to wait for a TACACS server to reply


routerA(config)#tacacs-server key ?

LINE Encryption key string


routerA(config)#tacacs-server key


As you can see in this IOS version it does not give the option to choose to encrypt. Is there something I am doing wrong or is it just the version of IOS code?


I am making the assumption it is the IOS but wanted to see if anyone else might know.


Here is a config from another switch that does allow that option for encryption:


HPTMDF01(config)#tacacs-server key ?

0 Specifies an UNENCRYPTED key will follow

7 Specifies HIDDEN key will follow

LINE The UNENCRYPTED (cleartext) shared key


HPTMDF01(config)#tacacs-server key



HPTMDF01#sh ver

Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I5S-M), Version 12.2(25)EWA8, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Wed 24-Jan-07 15:18 by pwade

Image text-base: 0x10000000, data-base: 0x114EECF0


ROM: 12.1(12r)EW

Dagobah Revision 95, Swamp Revision 24


HPTMDF01 uptime is 2 weeks, 2 days, 18 hours, 58 minutes

Uptime for this control processor is 2 weeks, 2 days, 18 hours, 59 minutes

System returned to ROM by power-on

System restarted at 14:21:35 EST Sat Jan 19 2008

Running default software


cisco WS-C4507R (MPC8245) processor (revision 5) with 524288K bytes of memory.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
yjdabear Wed, 02/06/2008 - 08:11
User Badges:
  • Gold, 750 points or more

Have you tried unconfigure the tacacs-server key and then reconfigure it? If it remains unecrypted, then the answer is: Prior to 12.2, the tacacs-server key does not get encrypted by "service password-encryption".

Rick Morris Wed, 02/06/2008 - 08:15
User Badges:
  • Silver, 250 points or more

yes I have tried that, I even cut and pasted a known encrypted key cli from a template I use and it does not encyrpt the password it takes it as literal text and not encrypted text.


I assumed as much but wanted to check.


thanks

Richard Burts Wed, 02/06/2008 - 21:24
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Rick


I have bumped into this several times and it is absolutely a question of which version of code you are running.


In earlier versions of IOS the password-encryption did encrypt some passwords such as the vty passwords. But it left in the clear other passwords such as the TACACS server password. Then in later versions of code other passwords (especially including the TACACS sever password) became process by the password-encryption command. You are obviously running a version of code that does not encrypt TACACS passwords - and nothing that you can do (other than code upgrade) will get your device to understand about encryption of the TACACS server password.


HTH


Rick

Actions

This Discussion