topic Re: ISE and Oracle DB with Hash Passwords in Network Access Control

ISE and Oracle DB with Hash Passwords

gugonza2 — Mon, 04 Feb 2019 11:36:57 GMT

Hi,

I have an Oracle DB with Usernames and Password Hashes stored.

I would like to configure ISE using ODBC to authenticate users using Oracle DB.

- Is ISE able to check credentials if Oracle has password hashes only ?

- ISE would calculate the password hash and will compare with Oracle DB ?

Thanks in Advance.

Re: ISE and Oracle DB with Hash Passwords

howon — Mon, 04 Feb 2019 13:11:44 GMT

It can be hashed in the table, but stored procedure for retrieving the password has to be able to reverse it to plain text password. IOW, ISE will not do the calculation, rather you have to make the stored procedure call in the DB to do that for ISE.

Re: ISE and Oracle DB with Hash Passwords

gugonza2 — Mon, 04 Feb 2019 13:40:47 GMT

Thx, but it´s not easy revert hash to plain text.

Checking the ISE documentation I found;

"Plain Text Password fetching from ODBC database Credential Check: If the username is found, its password and relevant user information is returned by the stored procedure. Cisco ISE calculates the password hash based on the authentication method and compares it with the one received from the client."

Any comment ?

Re: ISE and Oracle DB with Hash Passwords

howon — Mon, 04 Feb 2019 13:51:26 GMT

Yes, exactly. ISE needs to see the password for it to process the authentication. ISE can't simply compare hash from the client to the DB directly ATM. So the answer is still no it can't be done unless password is presented to ISE in clear text.

Re: ISE and Oracle DB with Hash Passwords

gugonza2 — Mon, 04 Feb 2019 14:00:44 GMT

Ok, Thanks for the clarification.