https://community.cisco.com/t5/network-access-control/tacacs-key-encryption/m-p/3840208#M548480 <P>Hello Keith</P><P>actually, I have a similar problem recently,<BR />I do some google and cisco community and seems I found the solution on this and the reason I may not adopt this type6<BR />1) <STRONG>why I may not try AES 256</STRONG><BR />it seems that AES needs to encrypted by the master key, which means that you cannot just copy the config and pasted to others device.<BR />so that might be the problem even <EM>enable secret</EM> is not using type 6 but type 9 for more secure password you can copy.</P><P>&nbsp;</P><P>2) <STRONG>the implementation</STRONG>,</P><P>seems that using key chain concept by encrypted an AES key before you applied on the tacacs key command</P><P>although the example is isakmp, with a reasonable guess the logic is the same I believe.</P><P>Enter configuration commands, one per line. End with CNTL/Z.<BR />Router(config)#key config-key password-encrypt testkey123<BR />Router(config)#password encryption aes<BR />Router(config)#^Z<BR />Router#<BR />Router#show running-config<BR />Building configuration...<BR />.....<BR />password encryption aes<BR />...<BR />crypto isakmp policy 10<BR />authentication pre-share<BR />crypto isakmp key 6 FLgBaJHXdYY_AcHZZMgQ_RhTDJXHUBAAB address 10.1.1.1</P><P><BR /><A href="https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46420-pre-sh-keys-ios-rtr-cfg.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46420-pre-sh-keys-ios-rtr-cfg.html</A></P><P>&nbsp;</P><P><A href="https://community.cisco.com/t5/security-documents/why-you-should-be-using-scrypt-for-cisco-router-password-storage/ta-p/3157196" target="_blank">https://community.cisco.com/t5/security-documents/why-you-should-be-using-scrypt-for-cisco-router-password-storage/ta-p/3157196</A></P><P>&nbsp;</P> Wed, 17 Apr 2019 11:19:48 GMT perkin 2019-04-17T11:19:48Z https://community.cisco.com/t5/network-access-control/tacacs-key-encryption/m-p/3396099#M548478 <P class="s570a4-10 iEJDri">I am trying to improve the security of some of our switches, one of the things I want to do is change all the tacacs keys from encryption level from type 7 to type 6 (aes).</P> <P class="s570a4-10 iEJDri">some of the switches have the option by default for "tacacs-server key 6 password" where as other switches only have option 0 and 7 for encryption level.</P> <P class="s570a4-10 iEJDri">Even when I enable aes "password encryption aes" and set the aes encryption key "key config-key password-encrypt TestPassword" I still dont get option 6 for my encryption level</P> <P class="s570a4-10 iEJDri">This is on Version 15.2(4r)E3.</P> <P class="s570a4-10 iEJDri">I have the same issue with some other catalyst switches as well.</P> <P class="s570a4-10 iEJDri">can anyone advise if only some firmware versions support this level of encryption or if I'm missing something</P> <P class="s570a4-10 iEJDri">thanks,</P> <P class="s570a4-10 iEJDri">Keith</P> Fri, 21 Feb 2020 18:57:50 GMT https://community.cisco.com/t5/network-access-control/tacacs-key-encryption/m-p/3396099#M548478 keith0001111111 2020-02-21T18:57:50Z https://community.cisco.com/t5/network-access-control/tacacs-key-encryption/m-p/3396102#M548479 <P>Hi. I also am looking for a workaround for this. Be interested to hear what the community has done with this. Google didn't find anything!</P> Thu, 07 Jun 2018 22:09:50 GMT https://community.cisco.com/t5/network-access-control/tacacs-key-encryption/m-p/3396102#M548479 ashstavegas 2018-06-07T22:09:50Z https://community.cisco.com/t5/network-access-control/tacacs-key-encryption/m-p/3840208#M548480 <P>Hello Keith</P><P>actually, I have a similar problem recently,<BR />I do some google and cisco community and seems I found the solution on this and the reason I may not adopt this type6<BR />1) <STRONG>why I may not try AES 256</STRONG><BR />it seems that AES needs to encrypted by the master key, which means that you cannot just copy the config and pasted to others device.<BR />so that might be the problem even <EM>enable secret</EM> is not using type 6 but type 9 for more secure password you can copy.</P><P>&nbsp;</P><P>2) <STRONG>the implementation</STRONG>,</P><P>seems that using key chain concept by encrypted an AES key before you applied on the tacacs key command</P><P>although the example is isakmp, with a reasonable guess the logic is the same I believe.</P><P>Enter configuration commands, one per line. End with CNTL/Z.<BR />Router(config)#key config-key password-encrypt testkey123<BR />Router(config)#password encryption aes<BR />Router(config)#^Z<BR />Router#<BR />Router#show running-config<BR />Building configuration...<BR />.....<BR />password encryption aes<BR />...<BR />crypto isakmp policy 10<BR />authentication pre-share<BR />crypto isakmp key 6 FLgBaJHXdYY_AcHZZMgQ_RhTDJXHUBAAB address 10.1.1.1</P><P><BR /><A href="https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46420-pre-sh-keys-ios-rtr-cfg.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46420-pre-sh-keys-ios-rtr-cfg.html</A></P><P>&nbsp;</P><P><A href="https://community.cisco.com/t5/security-documents/why-you-should-be-using-scrypt-for-cisco-router-password-storage/ta-p/3157196" target="_blank">https://community.cisco.com/t5/security-documents/why-you-should-be-using-scrypt-for-cisco-router-password-storage/ta-p/3157196</A></P><P>&nbsp;</P> Wed, 17 Apr 2019 11:19:48 GMT https://community.cisco.com/t5/network-access-control/tacacs-key-encryption/m-p/3840208#M548480 perkin 2019-04-17T11:19:48Z