Solved: Re: ISE and Oracle DB with Hash Passwords

gugonza2 · ‎02-04-2019

Hi,

I have an Oracle DB with Usernames and Password Hashes stored.

I would like to configure ISE using ODBC to authenticate users using Oracle DB.

- Is ISE able to check credentials if Oracle has password hashes only ?

- ISE would calculate the password hash and will compare with Oracle DB ?

Thanks in Advance.

howon · ‎02-04-2019

It can be hashed in the table, but stored procedure for retrieving the password has to be able to reverse it to plain text password. IOW, ISE will not do the calculation, rather you have to make the stored procedure call in the DB to do that for ISE.

View solution in original post

howon · ‎02-04-2019

It can be hashed in the table, but stored procedure for retrieving the password has to be able to reverse it to plain text password. IOW, ISE will not do the calculation, rather you have to make the stored procedure call in the DB to do that for ISE.

gugonza2 · ‎02-04-2019

Thx, but it´s not easy revert hash to plain text.

Checking the ISE documentation I found;

"Plain Text Password fetching from ODBC database Credential Check: If the username is found, its password and relevant user information is returned by the stored procedure. Cisco ISE calculates the password hash based on the authentication method and compares it with the one received from the client."

Any comment ?

howon · ‎02-04-2019

Yes, exactly. ISE needs to see the password for it to process the authentication. ISE can't simply compare hash from the client to the DB directly ATM. So the answer is still no it can't be done unless password is presented to ISE in clear text.

gugonza2 · ‎02-04-2019

Ok, Thanks for the clarification.