Solved: Audit Point picks up Tacacs+ Vulnerability

iagyte · ‎02-22-2018

Background:

My customer has raised a question based on a vulnerability raised by their security team on TACACS+. The actual audit point was that there is “no integrity checking available and the use of MD5 encryption”

This issue was this raised as part of a security audit
Question relates to using ACS with TACACS+ feature
Software version is based on ACS 5.4

The security team have also referenced - https://supportforums.cisco.com/t5/aaa-identity-and-nac/how-to-secure-tacacs-authentication/td-p/2735412 and there are some very good points made here.

Has anyone else within the ISE community see this before?

Is this the recommendation https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210519-Configure-ISE-2-2-IPSEC-to-Secure-NAD-I.html

Thanks..

Nidhi · ‎02-22-2018

ACS is end of life.

I would suggest upgrading to ISE 2.X and redoing this test.

in any case I will forward this observation to the right team to see if anyone is aware of this .

Thanks,

Nidhi

View solution in original post

Nidhi · ‎02-22-2018

ACS is end of life.

I would suggest upgrading to ISE 2.X and redoing this test.

in any case I will forward this observation to the right team to see if anyone is aware of this .

Thanks,

Nidhi

hslai · ‎02-23-2018

Yes, you are correct that customers may consider IPSec to secure the control-plane communications, in case not already protected by another means.