02-05-2008 06:21 AM
Here is a snip of the config:
routerA#sh ver
Cisco Internetwork Operating System Software
IOS (tm) MSFC2 Software (C6MSFC2-PSV-M), Version 12.1(20)E, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 24-Oct-03 20:16 by hqluong
Image text-base: 0x40008F90, data-base: 0x41902000
ROM: System Bootstrap, Version 12.1(11r)E1, RELEASE SOFTWARE (fc1)
BOOTLDR: MSFC2 Software (C6MSFC2-BOOT-M), Version 12.1(20)E, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
//----snip----//
! Last configuration change at 15:34:17 EST Mon Feb 4 2008 by rmorris
! NVRAM config last updated at 23:48:22 EST Fri Feb 1 2008
!
version 12.1
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
enable secret xxx
!
username testuser privilege 15 secret xxx
As you can see the passwords get encrypted, however in the TACACS config it does not:
tacacs-server host 10.1.1.206 key T@c@cs+
tacacs-server host 10.1.1.207 key T@c@cs+
In some of our switches we can encrypt.
routerA(config)#tacacs-server ?
administration Start tacacs+ deamon handling administrative messages
attempts Number of login attempts via TACACS
directed-request Allow user to specify tacacs server to use with `@server'
dns-alias-lookup Enable IP Domain Name System Alias lookup for TACACS servers
host Specify a TACACS server
key Set TACACS+ encryption key.
packet Modify TACACS+ packet options
timeout Time to wait for a TACACS server to reply
routerA(config)#tacacs-server key ?
LINE Encryption key string
routerA(config)#tacacs-server key
As you can see in this IOS version it does not give the option to choose to encrypt. Is there something I am doing wrong or is it just the version of IOS code?
I am making the assumption it is the IOS but wanted to see if anyone else might know.
Here is a config from another switch that does allow that option for encryption:
HPTMDF01(config)#tacacs-server key ?
0 Specifies an UNENCRYPTED key will follow
7 Specifies HIDDEN key will follow
LINE The UNENCRYPTED (cleartext) shared key
HPTMDF01(config)#tacacs-server key
HPTMDF01#sh ver
Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I5S-M), Version 12.2(25)EWA8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 24-Jan-07 15:18 by pwade
Image text-base: 0x10000000, data-base: 0x114EECF0
ROM: 12.1(12r)EW
Dagobah Revision 95, Swamp Revision 24
HPTMDF01 uptime is 2 weeks, 2 days, 18 hours, 58 minutes
Uptime for this control processor is 2 weeks, 2 days, 18 hours, 59 minutes
System returned to ROM by power-on
System restarted at 14:21:35 EST Sat Jan 19 2008
Running default software
cisco WS-C4507R (MPC8245) processor (revision 5) with 524288K bytes of memory.
02-06-2008 08:11 AM
Have you tried unconfigure the tacacs-server key and then reconfigure it? If it remains unecrypted, then the answer is: Prior to 12.2, the tacacs-server key does not get encrypted by "service password-encryption".
02-06-2008 08:15 AM
yes I have tried that, I even cut and pasted a known encrypted key cli from a template I use and it does not encyrpt the password it takes it as literal text and not encrypted text.
I assumed as much but wanted to check.
thanks
02-06-2008 09:24 PM
Rick
I have bumped into this several times and it is absolutely a question of which version of code you are running.
In earlier versions of IOS the password-encryption did encrypt some passwords such as the vty passwords. But it left in the clear other passwords such as the TACACS server password. Then in later versions of code other passwords (especially including the TACACS sever password) became process by the password-encryption command. You are obviously running a version of code that does not encrypt TACACS passwords - and nothing that you can do (other than code upgrade) will get your device to understand about encryption of the TACACS server password.
HTH
Rick
02-07-2008 09:11 AM
I figured as much.
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: