In My Tacacs config onlyt acacs key is displaying in clear text, have configured "service password encrption" but still tacacs key is clear text,
is it IOS bug or how can we fix up this issue
acacs-server host *. * . * . * single-connection key 'qullcom"
I suspect that you are running an older version of IOS. In older versions the TACACS key was displayed in the clear. At some point (I do not remember for sure at what release) the behavior changed and if service password-encryption was enable then the TACACS key was encrypted.
I very much doubt that it is an IOS bug. If I am correct then the only way to get the TACACS key encrypted is to update to a more recent version of IOS.
I had a similar issue before when deploying TACACS and i can confirm that
it is an IOS issue. If i recall correctly, it was version prior to 12.2 that had the issue of displaying the tacacs key in clear.
Thanks for every one who have given there comments about this issue.
Yes i checked all devices and found that its there only in 12.2 version and prior tot this(mean Key is not encrypted in 12.2 IOS ).there is not problem with 12.3 or higher
iam not sure is it IOS bug, can any one clarufy on the same
Here is my 2c.
What you're seeing is an IOS bug because I am also running IOS version 12.2 and it is working for me:
C3550-lab#sh run | i password-
C3550-lab#sh run | i tacacs-server
tacacs-server host 192.168.3.10 key 7 0110050D5E18030C
Directory of flash:/
3 -rwx 2964 Feb 3 2009 18:05:08 +00:00 vlan.dat
4 -rwx 322 Mar 11 2009 19:14:47 +00:00 system_env_vars
5 -rwx 12146 Mar 12 2009 12:34:42 +00:00 config.text
6 -rwx 46 Mar 12 2009 12:34:42 +00:00 private-config.text
8 -rwx 7144860 Mar 1 1993 06:10:15 +00:00 c3550-ipservicesk9-mz.122-25.SEE4.bin
7 -rwx 0 Mar 11 2009 19:14:47 +00:00 env_vars
9 -rwx 2072 Mar 12 2009 12:34:42 +00:00 multiple-fs
15998976 bytes total (3850240 bytes free)
It is also working on 12.2(15)T17 as well.
Therefore, a logical conclusion is "it is very likely an IOS bug"
Did you not understand my previous explanation that this is not an IOS bug. In earlier releases (like 12.2) the TACACS key was not included in the addresses protected by service password-encryption. IOS 12.2 is behaving just exactly as Cisco intended it to by not encrypting the TACACS key.
If it is important to have the TACACS key be encrypted then you will need to update the IOS version that you are running in those routers.
12.2 in the 3550 is quite different from 12.2 in router IOS. I suspect that KSK is looking at routers and not at 3550s.
I remember very clearly in older versions of router IOS that the TACACS key was normally not encrypted.
I like to deal with facts and not fiction. From what I am seeing, 12.2 DOES support encryption of the TACACS key:
-#- ED ----type---- --crc--- -seek-- nlen -length- ---------date/time--------- name
1 .. image ECB29DF2 D0A824 25 13543332 Mar 12 2009 13:40:45 +00:00 c7200-ik9s-mz.122-46a.bin
7034844 bytes available (13543460 bytes used)
VXR7204 uptime is 3 minutes
System returned to ROM by reload at 13:54:00 UTC Thu Mar 12 2009
System image file is "slot0:c7200-ik9s-mz.122-46a.bin"
Last reload reason: Reload command
VXR7204#sh run | i tacacs-server
tacacs-server host 192.168.3.10 key 7 1511080501392E27
I experienced this too when I was doing some work on switches (2950/3550) running 12.1(22)EA1, EA2. I initially thought it was an IOS bug (I was looking for reasons to upgrade the IOS to EA12) so after an upgrade and reboot, the keys were finally encrypted.
Then I saw a switch running EA2 IOS and after a reboot, it worked well! Who knows. Maybe the key entered by my colleague was already encrypted (cut-n-paste bandit).
The point I am trying to prove here is that IOS version 12.2, either IOS routers or IOS switches, does encrypt the TACACS key in the configuration, as demonstrated in my previous examples for the Catalyst 3500 switch and VXR7204 router