cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

327
Views
3
Helpful
4
Replies
Highlighted
Beginner

Encryption for TACACS+ user passwords inside ISE2.2's Internal Identity Store

Hi All,

I'll just like to confirm that my understanding of how encryption is currently done for TACACS+ users in ISE 2.2 Internal Identity Store:

With reference to this link: http://pmbuwiki.cisco.com/Products/ISE/Technical/Security#How_is_information_encrypted_in_ISE_for_local_Identity_Storage…

As mentioned in the document above, only the users' passwords (and not the rest of the fields/columns) in the database are hashed using SHA256 and stored without any cryptography "salt" component? May I know what is the recommended approach if customer has an audit compliance requirement that users' passwords have to be hashed and "salted" before kept on any DB?

Best Regards,

Jimmy

Everyone's tags (3)
4 REPLIES 4
Beginner

Re: Encryption for TACACS+ user passwords inside ISE2.2's Internal Identity Store

Just to add on, I've also found this thread: https://cisco.jiveon.com/thread/134207

This kind of adds on additional information to the previous document.

However, it still says that non ISE-admin users' passwords are not salted prior to hashing with the AES128.

May I know is this considered acceptable for TACACS+ users' passwords?

Best Regards

Cisco Employee

Re: Encryption for TACACS+ user passwords inside ISE2.2's Internal Identity Store

Enable passwords are stored the same as regular passwords. Please contact our PM if you have additional requirements.

Beginner

Re: Encryption for TACACS+ user passwords inside ISE2.2's Internal Identity Store

Thanks for response. Appreciate if you could also point me in the right direction to the PM for such matters?

Cisco Employee

Re: Encryption for TACACS+ user passwords inside ISE2.2's Internal Identity Store

I just emailed you separately on this.