This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Background:
My customer has raised a question based on a vulnerability raised by their security team on TACACS+. The actual audit point was that there is “no integrity checking available and the use of MD5 encryption”
The security team have also referenced - https://supportforums.cisco.com/t5/aaa-identity-and-nac/how-to-secure-tacacs-authentication/td-p/2735412 and there are some very good points made here.
Has anyone else within the ISE community see this before?
Is this the recommendation https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210519-Configure-ISE-2-2-IPSEC-to-Secure-NAD-I.html
Thanks..
Solved! Go to Solution.
ACS is end of life.
I would suggest upgrading to ISE 2.X and redoing this test.
in any case I will forward this observation to the right team to see if anyone is aware of this .
Thanks,
Nidhi
ACS is end of life.
I would suggest upgrading to ISE 2.X and redoing this test.
in any case I will forward this observation to the right team to see if anyone is aware of this .
Thanks,
Nidhi
Yes, you are correct that customers may consider IPSec to secure the control-plane communications, in case not already protected by another means.