https://community.cisco.com/t5/network-access-control/encryption-for-tacacs-user-passwords-inside-ise2-2-s-internal/m-p/3593112#M527050 <HTML><HEAD></HEAD><BODY><P>Thanks for response. Appreciate if you could also point me in the right direction to the PM for such matters?</P></BODY></HTML> Wed, 27 Sep 2017 16:30:01 GMT Jimi 2017-09-27T16:30:01Z https://community.cisco.com/t5/network-access-control/encryption-for-tacacs-user-passwords-inside-ise2-2-s-internal/m-p/3593109#M527047 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>I'll just like to confirm that my understanding of how encryption is currently done for TACACS+ users in ISE 2.2 Internal Identity Store:</P><P></P><P>With reference to this link: <A href="http://pmbuwiki.cisco.com/Products/ISE/Technical/Security#How_is_information_encrypted_in_ISE_for_local_Identity_Storage.3f" title="http://pmbuwiki.cisco.com/Products/ISE/Technical/Security#How_is_information_encrypted_in_ISE_for_local_Identity_Storage.3f">http://pmbuwiki.cisco.com/Products/ISE/Technical/Security#How_is_information_encrypted_in_ISE_for_local_Identity_Storage…</A></P><P></P><P>As mentioned in the document above, only the users' passwords (and not the rest of the fields/columns) in the database are hashed using SHA256 and stored without any cryptography "salt" component? May I know what is the recommended approach if customer has an audit compliance requirement that users' passwords have to be hashed and "salted" before kept on any DB?</P><P></P><P>Best Regards,</P><P>Jimmy</P></BODY></HTML> Sun, 03 Sep 2017 09:47:26 GMT https://community.cisco.com/t5/network-access-control/encryption-for-tacacs-user-passwords-inside-ise2-2-s-internal/m-p/3593109#M527047 Jimi 2017-09-03T09:47:26Z https://community.cisco.com/t5/network-access-control/encryption-for-tacacs-user-passwords-inside-ise2-2-s-internal/m-p/3593110#M527048 <HTML><HEAD></HEAD><BODY><P>Just to add on, I've also found this thread: <A href="https://cisco.jiveon.com/thread/134207" title="https://cisco.jiveon.com/thread/134207">https://cisco.jiveon.com/thread/134207</A></P><P></P><P>This kind of adds on additional information to the previous document.</P><P>However, it still says that non ISE-admin users' passwords are not salted prior to hashing with the AES128.</P><P>May I know is this considered acceptable for TACACS+ users' passwords?</P><P></P><P>Best Regards</P></BODY></HTML> Sun, 03 Sep 2017 15:29:11 GMT https://community.cisco.com/t5/network-access-control/encryption-for-tacacs-user-passwords-inside-ise2-2-s-internal/m-p/3593110#M527048 Jimi 2017-09-03T15:29:11Z https://community.cisco.com/t5/network-access-control/encryption-for-tacacs-user-passwords-inside-ise2-2-s-internal/m-p/3593111#M527049 <HTML><HEAD></HEAD><BODY><P>Enable passwords are stored the same as regular passwords. Please contact our PM if you have additional requirements.</P></BODY></HTML> Mon, 11 Sep 2017 18:20:43 GMT https://community.cisco.com/t5/network-access-control/encryption-for-tacacs-user-passwords-inside-ise2-2-s-internal/m-p/3593111#M527049 hslai 2017-09-11T18:20:43Z https://community.cisco.com/t5/network-access-control/encryption-for-tacacs-user-passwords-inside-ise2-2-s-internal/m-p/3593112#M527050 <HTML><HEAD></HEAD><BODY><P>Thanks for response. Appreciate if you could also point me in the right direction to the PM for such matters?</P></BODY></HTML> Wed, 27 Sep 2017 16:30:01 GMT https://community.cisco.com/t5/network-access-control/encryption-for-tacacs-user-passwords-inside-ise2-2-s-internal/m-p/3593112#M527050 Jimi 2017-09-27T16:30:01Z https://community.cisco.com/t5/network-access-control/encryption-for-tacacs-user-passwords-inside-ise2-2-s-internal/m-p/3593113#M527051 <HTML><HEAD></HEAD><BODY><P>I just emailed you separately on this.</P></BODY></HTML> Wed, 27 Sep 2017 19:51:37 GMT https://community.cisco.com/t5/network-access-control/encryption-for-tacacs-user-passwords-inside-ise2-2-s-internal/m-p/3593113#M527051 hslai 2017-09-27T19:51:37Z