Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2684
Views
3
Helpful
4
Replies

service password-encryption | not encrypting all passwords

Rick Morris
Level 6
Level 6

‎02-05-2008 06:21 AM

Here is a snip of the config:

routerA#sh ver

Cisco Internetwork Operating System Software

IOS (tm) MSFC2 Software (C6MSFC2-PSV-M), Version 12.1(20)E, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2003 by cisco Systems, Inc.

Compiled Fri 24-Oct-03 20:16 by hqluong

Image text-base: 0x40008F90, data-base: 0x41902000

ROM: System Bootstrap, Version 12.1(11r)E1, RELEASE SOFTWARE (fc1)

BOOTLDR: MSFC2 Software (C6MSFC2-BOOT-M), Version 12.1(20)E, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

//----snip----//

! Last configuration change at 15:34:17 EST Mon Feb 4 2008 by rmorris

! NVRAM config last updated at 23:48:22 EST Fri Feb 1 2008

!

version 12.1

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

!

enable secret xxx

!

username testuser privilege 15 secret xxx

As you can see the passwords get encrypted, however in the TACACS config it does not:

tacacs-server host 10.1.1.206 key T@c@cs+

tacacs-server host 10.1.1.207 key T@c@cs+

In some of our switches we can encrypt.

routerA(config)#tacacs-server ?

administration Start tacacs+ deamon handling administrative messages

attempts Number of login attempts via TACACS

directed-request Allow user to specify tacacs server to use with `@server'

dns-alias-lookup Enable IP Domain Name System Alias lookup for TACACS servers

host Specify a TACACS server

key Set TACACS+ encryption key.

packet Modify TACACS+ packet options

timeout Time to wait for a TACACS server to reply

routerA(config)#tacacs-server key ?

LINE Encryption key string

routerA(config)#tacacs-server key

As you can see in this IOS version it does not give the option to choose to encrypt. Is there something I am doing wrong or is it just the version of IOS code?

I am making the assumption it is the IOS but wanted to see if anyone else might know.

Here is a config from another switch that does allow that option for encryption:

HPTMDF01(config)#tacacs-server key ?

0 Specifies an UNENCRYPTED key will follow

7 Specifies HIDDEN key will follow

LINE The UNENCRYPTED (cleartext) shared key

HPTMDF01(config)#tacacs-server key

HPTMDF01#sh ver

Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I5S-M), Version 12.2(25)EWA8, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Wed 24-Jan-07 15:18 by pwade

Image text-base: 0x10000000, data-base: 0x114EECF0

ROM: 12.1(12r)EW

Dagobah Revision 95, Swamp Revision 24

HPTMDF01 uptime is 2 weeks, 2 days, 18 hours, 58 minutes

Uptime for this control processor is 2 weeks, 2 days, 18 hours, 59 minutes

System returned to ROM by power-on

System restarted at 14:21:35 EST Sat Jan 19 2008

Running default software

cisco WS-C4507R (MPC8245) processor (revision 5) with 524288K bytes of memory.

Labels:
0 Helpful
4 Replies 4

yjdabear
VIP Alumni
VIP Alumni

‎02-06-2008 08:11 AM

Have you tried unconfigure the tacacs-server key and then reconfigure it? If it remains unecrypted, then the answer is: Prior to 12.2, the tacacs-server key does not get encrypted by "service password-encryption".

0 Helpful

Rick Morris
Level 6
Level 6
In response to yjdabear

‎02-06-2008 08:15 AM

yes I have tried that, I even cut and pasted a known encrypted key cli from a template I use and it does not encyrpt the password it takes it as literal text and not encrypted text.

I assumed as much but wanted to check.

thanks

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Rick Morris

‎02-06-2008 09:24 PM

Rick

I have bumped into this several times and it is absolutely a question of which version of code you are running.

In earlier versions of IOS the password-encryption did encrypt some passwords such as the vty passwords. But it left in the clear other passwords such as the TACACS server password. Then in later versions of code other passwords (especially including the TACACS sever password) became process by the password-encryption command. You are obviously running a version of code that does not encrypt TACACS passwords - and nothing that you can do (other than code upgrade) will get your device to understand about encryption of the TACACS server password.

HTH

Rick

HTH

Rick

Rick Morris
Level 6
Level 6
In response to Richard Burts

‎02-07-2008 09:11 AM

I figured as much.

Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents