LMS archive

Unanswered Question
Sep 9th, 2009

Hi,


I did a configuration retrieval from ciscoworks for a router.

I have a question about the tacacs+ key that was retrieved


It shows #


tacacs-server key ******** 1158abcdefghxxxxxxxx


I was wondering if the key includes the ******** portion as well.


-Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Wed, 09/09/2009 - 13:01

I don't follow. The asterisk portion is the key itself obfuscated by RME to prevent eavesdropping. If the key is deployed back to the device, it should be done in clear text so the device understands it. The literal "********" will not be sent to the device.

georgeef1 Thu, 09/10/2009 - 12:24

Hi,


Thanks for the informarion.


So is the total digits in key is 24? Also,Is there a limit on the size of key in clear text?


Please advise.

Joe Clarke Thu, 09/10/2009 - 13:25

I think maybe I'm not fully understanding the problem. Can you post a screenshot of this tacacs-server key as shown in RME? As for a length limit of the key, there does not appear to be one in IOS.

georgeef1 Thu, 09/10/2009 - 13:40

Thanks Jclarke,


As per the this line i was looking in the characters after * they were 24 so was just curious if they have as per certain limit or characters.


I want to see if I loose the key can I decrypt the key from this RME archive by copying the encrypted text and if I have to copy the * or just the characters.


Please suggest !

Joe Clarke Thu, 09/10/2009 - 13:44

Ah. If you go the the RME shadow directory, you should see the key just as it would appear on the router. So, the short answer is RME has archived a config which can be put back on the router, restoring everything that currently appears in the running config.

georgeef1 Thu, 09/10/2009 - 15:06

Thanks Jclarke,


As per the this line i was looking in the characters after * they were 24 so was just curious if they have as per certain limit or characters.


I want to see if I loose the key can I decrypt the key from this RME archive by copying the encrypted text and if I have to copy the * or just the characters.


Please suggest !

Joe Clarke Thu, 09/10/2009 - 14:52

In my RME, when I view the config for my 3745, I see the following for tacacs-server key:


tacacs-server key ********


If I click the Edit button in the config viewer, then view the Tacacs Global section, I see the following in the credentials box:


tacacs-server key ******


If I click the the hyperlinked "******", I see the following in the popup:


Old Credential : tacacs1


Where "tacacs1" is the configured tacacs-server key on my router.


So, if you lose the key, you can either use RME's Config Editor to see the unencrypted value, or look at the shadow directory on the server which will have the clear text config that was archived from the device.

Actions

This Discussion