09-16-2022 01:52 AM
We have a security finding that SNMP and LDAP credentials can be extracted in clear text from the configuration dump file but when I try to download the file, system asks me to either mask or encrypt the passwords. Not sure if there is any KB or article from Cisco
09-18-2022 06:54 PM
The mask option simply gonna change passwords into asterisk like we see on Cisco switches. On the other hand encrypt option as the name says encrypts the password which again can only be decrypted by ESA.
Here's a config snippet,
Mask password
<ldap>
<ldap_server>
<ldap_server_name>LabAD</ldap_server_name>
<ldap_server_port>389</ldap_server_port>
<ldap_server_hostname>X.X.X.X</ldap_server_hostname>
<ldap_server_type>ad</ldap_server_type>
<ldap_server_pass>*****</ldap_server_pass>
Encrypt password
ldap>
<ldap_server>
<ldap_server_name>LabAD</ldap_server_name>
<ldap_server_port>389</ldap_server_port>
<ldap_server_hostname>X.X.X.X</ldap_server_hostname>
<ldap_server_type>ad</ldap_server_type>
<ldap_server_pass>8dH+PEfzkHCS+KARBtogTmb+LHQU/WSqrJNqjypVwE0LieqoPHGjus78GsCNFEWG</ldap_server_pass>
09-18-2022 11:49 PM
Thank you! Can we consider that configuration fill will NOT have passwords in plain text?
09-19-2022 06:55 PM
That is correct, the config file will not have passwords saved in plain text in the newer versions. In the older version i.e. 11.X and older, there was an additional option called "plain text passwords" during configuration file download which was removed in the newer versions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide