This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I'll just like to confirm that my understanding of how encryption is currently done for TACACS+ users in ISE 2.2 Internal Identity Store:
As mentioned in the document above, only the users' passwords (and not the rest of the fields/columns) in the database are hashed using SHA256 and stored without any cryptography "salt" component? May I know what is the recommended approach if customer has an audit compliance requirement that users' passwords have to be hashed and "salted" before kept on any DB?
Just to add on, I've also found this thread: https://cisco.jiveon.com/thread/134207
This kind of adds on additional information to the previous document.
However, it still says that non ISE-admin users' passwords are not salted prior to hashing with the AES128.
May I know is this considered acceptable for TACACS+ users' passwords?
Enable passwords are stored the same as regular passwords. Please contact our PM if you have additional requirements.
Thanks for response. Appreciate if you could also point me in the right direction to the PM for such matters?