08-09-2012 02:52 AM - edited 03-10-2019 07:24 PM
Hello,
When a tacacs user is changing the local password on the router (for local user), the acs 5.3 is showing the new password in clear text in authorization reports/logs.
This behaviour is seen on acs 5.x, whereas acs 4.2 is showing encrypted password in the reports.
I have checked debugs on Router and it is sending password in clear text in Tacacs Authorization packet but encrypted password in Tacacs Accounting logs.
Debug tacacs accounting
debug aaa accounting
4w3d: TPLUS: Received accounting response with status PASS
4w3d: TPLUS: Queuing AAA Accounting request 208 for processing
4w3d: TPLUS: processing accounting request id 208
4w3d: TPLUS: Sending AV task_id=459
4w3d: TPLUS: Sending AV timezone=UTC
4w3d: TPLUS: Sending AV service=shell
4w3d: TPLUS: Sending AV priv-lvl=15
4w3d: TPLUS: Sending AV cmd=username sansehga privilege 15 password *****
4w3d: TPLUS: Accounting request created for 208(sanjay)
debug tacas authorization
debug aaa authorization
4w3d: AAA/MEMORY: create_user (0x851611DC) user='sanjay' ruser='R1' ds0=0
port='tty7' rem_addr='10.76.212.159' authen_type=ASCII service=NONE priv=15
initial_task_id='0', vrf= (id=0)
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): Port='tty7' list='' service=CMD
4w3d: AAA/AUTHOR/CMD: tty7(1390711548) user='sanjay'
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV service=shell
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd=username
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=sansehga
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=privilege
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=15
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=password
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=sehgal
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=<cr>
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): found list "default"
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): Method=tacacs+ (tacacs+)
4w3d: AAA/AUTHOR/TAC+: (1390711548): user=sanjay
4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV service=shell
4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd=username
4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=sansehga
4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=privilege
4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=15
4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=password
4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=sehgal
4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=<cr>
4w3d: AAA/AUTHOR (1390711548): Post authorization status = PASS_ADD
Please share if someone has found the fix to this problem.
Regards,
Akhtar
08-09-2012 06:10 AM
Akhtar,
This doesnt look like the ACS that is sending the password, these are the debugs from the device that is sending the av pairs including the password in clear text. What version of code is this client running? The ACS has no need in sending the the password back to the user.
Tarik Admani
*Please rate helpful posts*
08-14-2012 12:05 AM
Tarik,
I am not saying that. What I meant is simple, ACS is showing the password in the authorization report as clear text which any ACS user can see. (snapshot attached), this is just seen in ACS 5.x, but not in ACS 4.2 which shows encrypted password in the report.
FYI, IOS running on the routers is 12.2(24)T5.
Regards,
Akhtar
08-14-2012 12:18 AM
Could that be because you use secret 0? When you use secret 5 (or secret 4) the password shown as asterisks, right?
08-14-2012 12:22 AM
Good call Amjad,
Can you verify this with ACS 4?
Thanks,
Tarik Admani
*Please rate helpful posts*
08-14-2012 01:31 AM
Thanks Tarik,
But it seems it did not help overall
Akhtar: Cisco needs long time to fix bugs unless it is P1 or P2 bug. Otherwise they'll do it at their leisure.
If you are not on latest patch already then upgrade. If you are already on the latest patch then wait for the next one. If your bug is not mentioned to be fixed on the resolved caveats don't panic. I've seen many bugs fixed but not mentioned in the release notes. What you need to do is to contact TAC so they contact the BU for your behalf to confirm if the bug is resolved or not.
Regards,
Amjad
08-14-2012 12:29 AM
Amjad, router is using secret 5.
08-14-2012 12:20 AM
Akhtar,
This seems like a bug that should be raised with cisco, I dont see a way on how to enable password masking. However, could you create a read-only user in ACS and see if they can still see the password in the reports. I am curious to see if the full admin role is able to see the password but not any other roles.
If they are still able to see the password please open a tac case and have them raise a bug for this issue, since this was a feature in ACS 4.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-14-2012 12:28 AM
Thanks Tarik, Cisco has created CSCty18976 bug for this problem, but it has been around 6 months they haven't fixed it. I was just thinking what others are doing to tackle this.
I think if we assign 'report admin' rights to an ACS user then only the report can been seen, and there is when he sees this password.
Thanks for your time.
Regards,
Akhtar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide