Re: ACS 5.3 Showing Clear Text Password in Authorization reports

Akhtar Samo · ‎08-09-2012

Hello,

When a tacacs user is changing the local password on the router (for local user), the acs 5.3 is showing the new password in clear text in authorization reports/logs.

This behaviour is seen on acs 5.x, whereas acs 4.2 is showing encrypted password in the reports.

I have checked debugs on Router and it is sending password in clear text in Tacacs Authorization packet but encrypted password in Tacacs Accounting logs.

Debug tacacs accounting

debug aaa accounting

4w3d: TPLUS: Received accounting response with status PASS

4w3d: TPLUS: Queuing AAA Accounting request 208 for processing

4w3d: TPLUS: processing accounting request id 208

4w3d: TPLUS: Sending AV task_id=459

4w3d: TPLUS: Sending AV timezone=UTC

4w3d: TPLUS: Sending AV service=shell

4w3d: TPLUS: Sending AV priv-lvl=15

4w3d: TPLUS: Sending AV cmd=username sansehga privilege 15 password *****

4w3d: TPLUS: Accounting request created for 208(sanjay)

debug tacas authorization

debug aaa authorization

4w3d: AAA/MEMORY: create_user (0x851611DC) user='sanjay' ruser='R1' ds0=0

port='tty7' rem_addr='10.76.212.159' authen_type=ASCII service=NONE priv=15

initial_task_id='0', vrf= (id=0)

4w3d: tty7 AAA/AUTHOR/CMD(1390711548): Port='tty7' list='' service=CMD

4w3d: AAA/AUTHOR/CMD: tty7(1390711548) user='sanjay'

4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV service=shell

4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd=username

4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=sansehga

4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=privilege

4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=15

4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=password

4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=sehgal

4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=<cr>

4w3d: tty7 AAA/AUTHOR/CMD(1390711548): found list "default"

4w3d: tty7 AAA/AUTHOR/CMD(1390711548): Method=tacacs+ (tacacs+)

4w3d: AAA/AUTHOR/TAC+: (1390711548): user=sanjay

4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV service=shell

4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd=username

4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=sansehga

4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=privilege

4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=15

4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=password

4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=sehgal

4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=<cr>

4w3d: AAA/AUTHOR (1390711548): Post authorization status = PASS_ADD

Please share if someone has found the fix to this problem.

Regards,

Akhtar

Tarik Admani · ‎08-09-2012

Akhtar,

This doesnt look like the ACS that is sending the password, these are the debugs from the device that is sending the av pairs including the password in clear text. What version of code is this client running? The ACS has no need in sending the the password back to the user.

Tarik Admani
*Please rate helpful posts*

Akhtar Samo · ‎08-14-2012

Tarik,

I am not saying that. What I meant is simple, ACS is showing the password in the authorization report as clear text which any ACS user can see. (snapshot attached), this is just seen in ACS 5.x, but not in ACS 4.2 which shows encrypted password in the report.

FYI, IOS running on the routers is 12.2(24)T5.

Regards,

Akhtar

Amjad Abdullah · ‎08-14-2012

Could that be because you use secret 0? When you use secret 5 (or secret 4) the password shown as asterisks, right?

Rating useful replies is more useful than saying "Thank you"

Tarik Admani · ‎08-14-2012

Good call Amjad,

Can you verify this with ACS 4?

Thanks,

Tarik Admani
*Please rate helpful posts*

Amjad Abdullah · ‎08-14-2012

Thanks Tarik,

But it seems it did not help overall

Akhtar: Cisco needs long time to fix bugs unless it is P1 or P2 bug. Otherwise they'll do it at their leisure.

If you are not on latest patch already then upgrade. If you are already on the latest patch then wait for the next one. If your bug is not mentioned to be fixed on the resolved caveats don't panic. I've seen many bugs fixed but not mentioned in the release notes. What you need to do is to contact TAC so they contact the BU for your behalf to confirm if the bug is resolved or not.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Akhtar Samo · ‎08-14-2012

Amjad, router is using secret 5.

Tarik Admani · ‎08-14-2012

Akhtar,

This seems like a bug that should be raised with cisco, I dont see a way on how to enable password masking. However, could you create a read-only user in ACS and see if they can still see the password in the reports. I am curious to see if the full admin role is able to see the password but not any other roles.

If they are still able to see the password please open a tac case and have them raise a bug for this issue, since this was a feature in ACS 4.

Thanks,

Tarik Admani
*Please rate helpful posts*

Akhtar Samo · ‎08-14-2012

Thanks Tarik, Cisco has created CSCty18976 bug for this problem, but it has been around 6 months they haven't fixed it. I was just thinking what others are doing to tackle this.

I think if we assign 'report admin' rights to an ACS user then only the report can been seen, and there is when he sees this password.

Thanks for your time.

Regards,

Akhtar