Anyone has noticed tacacs authorization logs when you change password for a user ?? in authorization logs I can see the new password but same I can not see in accounting logs ? is it a normal behaviour ?? or do we need to do something to hide the password in authorization logs ?
For example if i type command username xyz priv 15 secret cisco 123
I see this command in accounting logs as uername xyz oriv 15 secret *** where as in tacacs authorization logs it shows
I would say that you are facing a normal behavior. The IOS needs to send the Authorization request including the command arguments for the ACS to authorize them.
We need to be able to see the "password" argument on the ACS side in order for it to authorize it. Imagine the following:
The ACS is configured to allow a restricted user to create a local account with password "cisco" only. The following command would be executed on the IOS side
username restricted privilege 1 password cisco
On the ACS side we create a Command Set that only allows the creation of the "restricted" user with password "cisco" and not any other password value. The ACS needs to be able to read that value, therefore, it should be on clear text on the ACS side. If the restricted user tries to create another account with password "cisco123" or something else other than "cisco" which is the allowed value the ACS will reject it.
For accounting there is no need to know the password. Being that said, the accounting request with be logged with ***** instead of the real password.
Hope this clarifies it as you are facing a normal behavior.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...