Hello,

I have been looking for an answer on this query, however, I have not been able to find the exact answer. I did find some useful information which I will include below:

1) Using "csutil -d" you will be able to extract both Usernames and Passwords from the ACS Internal Database. Usernames will be on clear text and the password will be hashed with the specified password you used when executing

"csutil -d".

C:\Program Files\CiscoSecure ACS v4.2\bin>CSUtil.exe -d

CSUtil v4.2(0.124), Copyright 1997-2008, Cisco Systems Inc

Please, provide secret key to encrypt user passwords being dumped.

This key will be asked during dump file importing.

Empty Passwords will create dumps which are not re-loadable into ACS..

()

2) It seems that the hash has not been revealed by Cisco ACS Developers. However, they have confirmed that the User Passwords are hashed using that password. Also, if using an "empty" password the exported user passwords will be "cisco123" or hashed: 0x0008 63 69 73 63 6f 31 32 33

If you are trying to convert the passwords to clear text in order to recreate the accounts on a different server other than ACS (AD, LDAP, 3rd Party RADIUS) it will not work as there are not any known procedures to decrypt those passwords.

Deeper investigation can be requested to TAC, however, I am not sure how accessible would it be to have a Developer share the hash method/algorithm used for Password encryption on the ACS Internal Database as it might be considered a security breach on the database of the application.

Hope this clarifies it.

Regards.