Can't hide TACACS key in the config

nawas · ‎08-02-2006

I have recently enable TACACS in my Cisco route/switches but when I do show run I can see the tacacs key, how do I hide it?

Thanks.

tacacs-server host x.x.x.x key cisco123

a.kiprawih · ‎08-02-2006

Hi,

Use can either use "tacacs-server host x.x.x.x key cisco123" or individual line (see below) to enter the tacacs+ value:

tacacs-server host xx.xx.xx.xx

tacacs-server key secretkey ---> default set as 0, cleartest

tacacs-server key 7 secretkey --> encrypted

0 (default) = cleartext

7 = encrypted

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcr/tsec_r/sec_t1ht.htm#wp1283957

Rgds,

AK

nawas · ‎08-02-2006

AK

I have tried that but what it still doesn't encrypt the key, here is the config look like after the change

tacacs-server host x.x.x.x

tacacs-server key 7 cisco123

Richard Burts · ‎08-02-2006

Nawaz

The ability to "hide" the TACACS key is dependent on which version of code you are running. It is accomplished through the service password-encryption command. Older versions of code would encrypt only the line passwords, enable password. In more recent versions of code additional passwords are protected by this command. My experience is that 12.3T and 12.4 have included the TACACS key as one to protect (there could be other versions that do, but these are what I have experience with). Older versions of code do not protect the TACACS key. If you attempt to input the key with the "7" parameter it will not produce an encrypted key.

If you want the TACACS key hidden or encrypted then you should plan on upgrading the IOS version.

HTH

Rick

HTH

Rick