Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

service password-encryption | not encrypting all passwords

Here is a snip of the config:

routerA#sh ver

Cisco Internetwork Operating System Software

IOS (tm) MSFC2 Software (C6MSFC2-PSV-M), Version 12.1(20)E, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

TAC Support:

Copyright (c) 1986-2003 by cisco Systems, Inc.

Compiled Fri 24-Oct-03 20:16 by hqluong

Image text-base: 0x40008F90, data-base: 0x41902000

ROM: System Bootstrap, Version 12.1(11r)E1, RELEASE SOFTWARE (fc1)



! Last configuration change at 15:34:17 EST Mon Feb 4 2008 by rmorris

! NVRAM config last updated at 23:48:22 EST Fri Feb 1 2008


version 12.1

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption


enable secret xxx


username testuser privilege 15 secret xxx

As you can see the passwords get encrypted, however in the TACACS config it does not:

tacacs-server host key T@c@cs+

tacacs-server host key T@c@cs+

In some of our switches we can encrypt.

routerA(config)#tacacs-server ?

administration Start tacacs+ deamon handling administrative messages

attempts Number of login attempts via TACACS

directed-request Allow user to specify tacacs server to use with `@server'

dns-alias-lookup Enable IP Domain Name System Alias lookup for TACACS servers

host Specify a TACACS server

key Set TACACS+ encryption key.

packet Modify TACACS+ packet options

timeout Time to wait for a TACACS server to reply

routerA(config)#tacacs-server key ?

LINE Encryption key string

routerA(config)#tacacs-server key

As you can see in this IOS version it does not give the option to choose to encrypt. Is there something I am doing wrong or is it just the version of IOS code?

I am making the assumption it is the IOS but wanted to see if anyone else might know.

Here is a config from another switch that does allow that option for encryption:

HPTMDF01(config)#tacacs-server key ?

0 Specifies an UNENCRYPTED key will follow

7 Specifies HIDDEN key will follow

LINE The UNENCRYPTED (cleartext) shared key

HPTMDF01(config)#tacacs-server key

HPTMDF01#sh ver

Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I5S-M), Version 12.2(25)EWA8, RELEASE SOFTWARE (fc1)

Technical Support:

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Wed 24-Jan-07 15:18 by pwade

Image text-base: 0x10000000, data-base: 0x114EECF0

ROM: 12.1(12r)EW

Dagobah Revision 95, Swamp Revision 24

HPTMDF01 uptime is 2 weeks, 2 days, 18 hours, 58 minutes

Uptime for this control processor is 2 weeks, 2 days, 18 hours, 59 minutes

System returned to ROM by power-on

System restarted at 14:21:35 EST Sat Jan 19 2008

Running default software

cisco WS-C4507R (MPC8245) processor (revision 5) with 524288K bytes of memory.


Re: service password-encryption | not encrypting all passwords

Have you tried unconfigure the tacacs-server key and then reconfigure it? If it remains unecrypted, then the answer is: Prior to 12.2, the tacacs-server key does not get encrypted by "service password-encryption".


Re: service password-encryption | not encrypting all passwords

yes I have tried that, I even cut and pasted a known encrypted key cli from a template I use and it does not encyrpt the password it takes it as literal text and not encrypted text.

I assumed as much but wanted to check.


Hall of Fame Super Gold

Re: service password-encryption | not encrypting all passwords


I have bumped into this several times and it is absolutely a question of which version of code you are running.

In earlier versions of IOS the password-encryption did encrypt some passwords such as the vty passwords. But it left in the clear other passwords such as the TACACS server password. Then in later versions of code other passwords (especially including the TACACS sever password) became process by the password-encryption command. You are obviously running a version of code that does not encrypt TACACS passwords - and nothing that you can do (other than code upgrade) will get your device to understand about encryption of the TACACS server password.




Re: service password-encryption | not encrypting all passwords

I figured as much.


CreatePlease to create content