Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can you Encrypt a TACACS+ password in a config

Hi all

can you add encryption to a Tacacs key (the same way you can turn on service password-encryption on),so that it does not appear as plain text in a config?

Regards

Colin

8 REPLIES
Purple

Re: Can you Encrypt a TACACS+ password in a config

Try "tacacs-server key 7 "

tacacs-server key

To set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon, use the tacacs-server key command in global configuration mode. To disable the key, use the no form of this command.

tacacs-server key {0 string | 7 string | string}

no tacacs-server key {0 string | 7 string | string}

Syntax Description

0 string

Specifies that an unencrypted key will follow.

•string—The unencrypted (clear text) shared key.

7 string

Specifies that a hidden key will follow.

•string—The hidden shared key.

string

The unencrypted (clear text) shared key.

VIP Purple

Re: Can you Encrypt a TACACS+ password in a config

Hello Colin,

there was a discussion in a previous post about that issue (check the link below), apparently the encryption does not work with TACACS or RADIUS keys...

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.1dd9af91

Regards,

GP

Hall of Fame Super Silver

Re: Can you Encrypt a TACACS+ password in a config

Actually the answer to this question is very highly release dependent. Earlier releases did not support it. Current releases do. I am not sure where the change is and believe it may be a 12.3 (or maybe even a 12.3T) enhancement. I have quite a few routers (most with TACACS and some with Radius) where the key is encrypted. When I started with those routers the key was not encrypted.

The encryption of the TACACS/Radius key is part of the service password encryption. The service has been enhanced several times to increase the number of keys that it protects. If you have service password encryption enabled (and in a live network I hope that you do) and have a release that supports the new enhancement your TACACS/Radius key will be encrypted automatically. If your version of IOS does not support it yet the key will not be encrypted. If you try to force it in with key 7 I suspect that you will have a mess.

HTH

Rick

Re: Can you Encrypt a TACACS+ password in a config

Hi

In addition to other posts i would like to add up that you can configure encrypted key which wont be visible like the other normal ones.

But before that you need to get the encrypted combination of the key which u like to configure.

there r some cracks aval wherein u can enter ur preferred keyword and get the equivalent random generated keys inclusive of numbers,special characters.

Once you are thru with that you can configure tacacs+ key with the keyword 7 before that.

you will have soemething like tacacs-server key 7 79c01929 ...

wherein 79c01929 is ur preferred key got thru the randon generators..

i have tried something inline like this with the passwords..but not though with the keys but i feel it shuld work without any probs..

regds

Hall of Fame Super Silver

Re: Can you Encrypt a TACACS+ password in a config

If you put the password in encrypted, what will the software do with it? If the software did not understand how to encrypt it in the first place, how will it understand how to decrypt it when you need to use it if you try this approach:

tacacs-server key 7 79c01929 ?

If you want these keys encrypted get a version of IOS in which it is supported. It is part of service password encryption.

HTH

Rick

Re: Can you Encrypt a TACACS+ password in a config

Hi Rick

I m sure that i did have service password encryption enabled but still i wanted to do some kinda experiment to have some password done with weak (7)algorithm not with strong MD5 hashing.

I did key in my preferred key/passwd into the cracker which can only work out with the weak algo(7) and generated a random key.

i configured password 7 xxxxxxxx under line mode which wasnt visible like our normal passwds which we configure under line and if u dont have service-password encryp enabled..

the same did workout fine for me during tht time..

i m not much sure about the exact context of the query thrown at me ...

regds

Hall of Fame Super Silver

Re: Can you Encrypt a TACACS+ password in a config

Edwin

If you did your experiment with a line password, then I certainly believe that it worked. The IOS has always understood and supported service password encryption for line passwords.

I believe that your main point is that you created an encrypted version of the password using one of the cracker software and then put the encrypted version of the password into the config. And it worked. I agree with that. As long as the IOS has support for encryption of that particular kind of password, then you can input an encrypted password and it should work.

But the discussion in this thread is about TACACS and Radius passwords. They have not always been supported by password encryption. If someone has a version of IOS that does not support this feature and they follow your example of creating an encrypted password and putting the encrypted version of the password into the config, then I believe that it will not work and they will not connect to TACACS or Radius successfully.

HTH

Rick

Re: Can you Encrypt a TACACS+ password in a config

Hi Rick

Thx for correcting me out,i didnt check that out in the testbed setup here and i went thru the same logic which worked for me with line password which is almost similar and inline with this except the external interaction with either radius or tacacs+ servers...

And mostly we dont try out our hands in keying in a masked password since we have the liberty to make the ios to mask that out with service password encryption command...

regds

5373
Views
0
Helpful
8
Replies