Tacacs Key Not envrypted

Unanswered Question
Mar 11th, 2009

Hi All

In My Tacacs config onlyt acacs key is displaying in clear text, have configured "service password encrption" but still tacacs key is clear text,

is it IOS bug or how can we fix up this issue

acacs-server host *. * . * . * single-connection key 'qullcom"



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Richard Burts Wed, 03/11/2009 - 10:42


I suspect that you are running an older version of IOS. In older versions the TACACS key was displayed in the clear. At some point (I do not remember for sure at what release) the behavior changed and if service password-encryption was enable then the TACACS key was encrypted.

I very much doubt that it is an IOS bug. If I am correct then the only way to get the TACACS key encrypted is to update to a more recent version of IOS.



echelon360 Wed, 03/11/2009 - 22:45

I had a similar issue before when deploying TACACS and i can confirm that

it is an IOS issue. If i recall correctly, it was version prior to 12.2 that had the issue of displaying the tacacs key in clear.

UCBNOCWAN Thu, 03/12/2009 - 02:13

Dear All,

Thanks for every one who have given there comments about this issue.

Yes i checked all devices and found that its there only in 12.2 version and prior tot this(mean Key is not encrypted in 12.2 IOS ).there is not problem with 12.3 or higher

iam not sure is it IOS bug, can any one clarufy on the same


cisco24x7 Thu, 03/12/2009 - 05:38

Here is my 2c.

What you're seeing is an IOS bug because I am also running IOS version 12.2 and it is working for me:

C3550-lab#sh run | i password-

service password-encryption

C3550-lab#sh run | i tacacs-server

tacacs-server host key 7 0110050D5E18030C

tacacs-server directed-request

C3550-lab#sh flash:

Directory of flash:/

3 -rwx 2964 Feb 3 2009 18:05:08 +00:00 vlan.dat

4 -rwx 322 Mar 11 2009 19:14:47 +00:00 system_env_vars

5 -rwx 12146 Mar 12 2009 12:34:42 +00:00 config.text

6 -rwx 46 Mar 12 2009 12:34:42 +00:00 private-config.text

8 -rwx 7144860 Mar 1 1993 06:10:15 +00:00 c3550-ipservicesk9-mz.122-25.SEE4.bin

7 -rwx 0 Mar 11 2009 19:14:47 +00:00 env_vars

9 -rwx 2072 Mar 12 2009 12:34:42 +00:00 multiple-fs

15998976 bytes total (3850240 bytes free)


It is also working on 12.2(15)T17 as well.

Therefore, a logical conclusion is "it is very likely an IOS bug"

Richard Burts Thu, 03/12/2009 - 09:40


Did you not understand my previous explanation that this is not an IOS bug. In earlier releases (like 12.2) the TACACS key was not included in the addresses protected by service password-encryption. IOS 12.2 is behaving just exactly as Cisco intended it to by not encrypting the TACACS key.

If it is important to have the TACACS key be encrypted then you will need to update the IOS version that you are running in those routers.


12.2 in the 3550 is quite different from 12.2 in router IOS. I suspect that KSK is looking at routers and not at 3550s.

I remember very clearly in older versions of router IOS that the TACACS key was normally not encrypted.





UCBNOCWAN Thu, 03/12/2009 - 10:01


Thanks for the update

Could you please paste the link/doc which says that 12.2 version does not support tacacs key


cisco24x7 Thu, 03/12/2009 - 12:52

I like to deal with facts and not fiction. From what I am seeing, 12.2 DOES support encryption of the TACACS key:

VXR7204#sh flash:

-#- ED ----type---- --crc--- -seek-- nlen -length- ---------date/time--------- name

1 .. image ECB29DF2 D0A824 25 13543332 Mar 12 2009 13:40:45 +00:00 c7200-ik9s-mz.122-46a.bin

7034844 bytes available (13543460 bytes used)


VXR7204 uptime is 3 minutes

System returned to ROM by reload at 13:54:00 UTC Thu Mar 12 2009

System image file is "slot0:c7200-ik9s-mz.122-46a.bin"

Last reload reason: Reload command

VXR7204#sh run | i tacacs-server

tacacs-server host key 7 1511080501392E27

tacacs-server directed-request


Leo Laohoo Thu, 03/12/2009 - 15:03

I experienced this too when I was doing some work on switches (2950/3550) running 12.1(22)EA1, EA2. I initially thought it was an IOS bug (I was looking for reasons to upgrade the IOS to EA12) so after an upgrade and reboot, the keys were finally encrypted.

Then I saw a switch running EA2 IOS and after a reboot, it worked well! Who knows. Maybe the key entered by my colleague was already encrypted (cut-n-paste bandit).

cisco24x7 Fri, 03/13/2009 - 05:13

The point I am trying to prove here is that IOS version 12.2, either IOS routers or IOS switches, does encrypt the TACACS key in the configuration, as demonstrated in my previous examples for the Catalyst 3500 switch and VXR7204 router


This Discussion