topic Re: TACACS plus psk encryption in Network Security

TACACS plus psk encryption

JerryLarson7922 — Thu, 27 Feb 2020 19:54:27 GMT

We are trying to convert or move away from our level TACACS+ 7 psk to a stronger encryption method. We have been searching documents and have not come up with an answer. we are testing this on Cisco cat 9300 switches. Can anybody shed light on this for us on the 9300 platform?

thanks,

Re: TACACS plus psk encryption

Marvin Rhoads — Fri, 28 Feb 2020 04:24:51 GMT

As far as I can tell it's not currently an option on the Catalyst 9300 series as of the latest 17.1 (Amsterdam train) software.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-1/command_reference/b_171_9300_cr/security_commands.html#wp3900897971

Other switches do support it. For example, the Catalyst 3650 with IOS-XE 15.4(1)T or later:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-xe-3se-3650-cr-book/sec-d1-xe-3se-3850-cr-book_chapter_0111.html#wp2111876750

The Cisco feature navigator tool does not return any results for this specific feature:

https://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp

(searched by both "TACACS" and "AES")

Re: TACACS plus psk encryption

JerryLarson7922 — Fri, 28 Feb 2020 19:26:19 GMT

Hello Marvin ,

Thank you for your response. My network engineer kept searching yesterday and found the following.

(config)#key config-key password-encryption (master key)
(config)#password encryption aes
(config)#tacacs server (server)
(config-server-tacacs)#key (key)

sh run

(TACACS)

tacacs server server name
address ipv4 server IP

key 6 XXXXXXXXXXXXXXXXXXXXXXXXXX ( i made all x's

https://community.cisco.com/t5/security-documents/why-you-should-be-using-scrypt-for-cisco-router-password-storage/ta-p/3157196

Re: TACACS plus psk encryption

Marvin Rhoads — Sat, 29 Feb 2020 02:51:24 GMT

@JerryLarson7922 nice find! Thanks for sharing.

Re: TACACS plus psk encryption

Cristian Matei — Sat, 29 Feb 2020 14:57:48 GMT

Hi,

That's a beautiful solution, but be aware of the following:

- the configured key is NOT stored in the configuration, you just need to remember it, or if you forget it, delete the old one (meantime services will no longer work, cause the clear-text key cannot be decrypted) and add a new one

- there used to be many bugs with this feature, where the device will somehow loose the key after a reboot, thus breaking the services making use of the encrypted keys; use a stable IOS version to avoid such issues.

Regards,

Cristian Matei.