09-09-2009 11:40 AM
Hi,
I did a configuration retrieval from ciscoworks for a router.
I have a question about the tacacs+ key that was retrieved
It shows #
tacacs-server key ******** 1158abcdefghxxxxxxxx
I was wondering if the key includes the ******** portion as well.
-Thanks
09-09-2009 01:01 PM
I don't follow. The asterisk portion is the key itself obfuscated by RME to prevent eavesdropping. If the key is deployed back to the device, it should be done in clear text so the device understands it. The literal "********" will not be sent to the device.
09-10-2009 12:24 PM
Hi,
Thanks for the informarion.
So is the total digits in key is 24? Also,Is there a limit on the size of key in clear text?
Please advise.
09-10-2009 01:25 PM
I think maybe I'm not fully understanding the problem. Can you post a screenshot of this tacacs-server key as shown in RME? As for a length limit of the key, there does not appear to be one in IOS.
09-10-2009 01:40 PM
Thanks Jclarke,
As per the this line i was looking in the characters after * they were 24 so was just curious if they have as per certain limit or characters.
I want to see if I loose the key can I decrypt the key from this RME archive by copying the encrypted text and if I have to copy the * or just the characters.
Please suggest !
09-10-2009 01:44 PM
Ah. If you go the the RME shadow directory, you should see the key just as it would appear on the router. So, the short answer is RME has archived a config which can be put back on the router, restoring everything that currently appears in the running config.
09-10-2009 03:06 PM
Thanks Jclarke,
As per the this line i was looking in the characters after * they were 24 so was just curious if they have as per certain limit or characters.
I want to see if I loose the key can I decrypt the key from this RME archive by copying the encrypted text and if I have to copy the * or just the characters.
Please suggest !
09-10-2009 02:52 PM
In my RME, when I view the config for my 3745, I see the following for tacacs-server key:
tacacs-server key ********
If I click the Edit button in the config viewer, then view the Tacacs Global section, I see the following in the credentials box:
tacacs-server key ******
If I click the the hyperlinked "******", I see the following in the popup:
Old Credential : tacacs1
Where "tacacs1" is the configured tacacs-server key on my router.
So, if you lose the key, you can either use RME's Config Editor to see the unencrypted value, or look at the shadow directory on the server which will have the clear text config that was archived from the device.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: