topic Re: ISE Store User Password During TACACS+ with LDAP? Encryption Detai in Network Access Control

ISE Store User Password During TACACS+ with LDAP? Encryption Details

ISENAC1122 — Wed, 18 Jun 2025 13:52:05 GMT

I have question about how Cisco ISE handles user passwords during TACACS+ authentication when LDAP is used as the external identity source.

From what I understand, ISE forwards the user credentials to the LDAP server for authentication — but does it store the password locally on the ISE server during that process?

Is the password just held temporarily in RAM, or is it written anywhere to disk?
If it's stored in memory, does anyone know what kind of encryption or protection (e.g., SHA-256 or other) is used?

Thanks in advance.

Re: ISE Store User Password During TACACS+ with LDAP? Encryption Detai

Aref Alsouqi — Thu, 19 Jun 2025 09:13:55 GMT

Those are good questions and I don't know definite answers to them. However, I don't believe ISE stores the passwords locally on the disk for those users that are authenticated against an external identity source. Instead, ISE stores locally the users' credentials of its local users and it does protect them with hashing and encryption.

In your case we have two parts of transmitting the credentials, once between the network device and ISE and that will be over TACACS protocol which encrypts the payload, and then we have a transmission that would happen between ISE and the AD over LDAP. LDAP by default doesn't encrypt the payload which means those credentials will be passing in clear text over the wire.

@thomas, @Jason Kunst, or @Arne Bier might add more comments on this.

Re: ISE Store User Password During TACACS+ with LDAP? Encryption Detai

Arne Bier — Fri, 20 Jun 2025 01:02:29 GMT

I think that only an ISE Developer can tell you this kind of detail.

Not sure if you mean the LDAP password to BIND to the directory, or the user password that is compared against an object in the LDAP directory? When you configure the LDAP external identity source in ISE, you must enter the bind credentials in clear text - there is no way around that. What the app does with that string is hopefully to encrypt it, and then store it somewhere in the Oracle Database (most likely) which is where a lot of the ISE config lives.

As for the end client user password - that should most certainly NOT be stored on the disk (or logged in clear text) - I think only the ISE developers would tell you how that data flows through ISE. You'd hope they would take extra care with sensitive data, and free/cleanse the memory structures after the function has completed.