Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

235
Views
0
Helpful
2
Replies
iagyte
Cisco Employee
Cisco Employee
‎02-22-2018 01:23 AM
‎02-22-2018 01:23 AM

Audit Point picks up Tacacs+ Vulnerability

Background:

My customer has raised a question based on a vulnerability raised by their security team on TACACS+.  The actual audit point was that there is “no integrity checking available and the use of MD5 encryption

 

  1. This issue was this raised as part of a security audit
  2. Question relates to using ACS with TACACS+ feature
  3. Software version is based on ACS 5.4

The security team have also referenced - https://supportforums.cisco.com/t5/aaa-identity-and-nac/how-to-secure-tacacs-authentication/td-p/2735412 and there are some very good points made here.

Has anyone else within the ISE community see this before?

Is this the recommendation https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210519-Configure-ISE-2-2-IPSEC-to-Secure-NAD-I.html

Thanks..

0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Nidhi
Cisco Employee
Cisco Employee
‎02-22-2018 11:35 PM
‎02-22-2018 11:35 PM

ACS is end of life.

I would suggest upgrading to ISE 2.X and redoing this test.

in any case I will forward this observation to the right team to see if anyone is aware of this .

Thanks,

Nidhi

View solution in original post

0 Helpful
2 REPLIES 2
Nidhi
Cisco Employee
Cisco Employee
‎02-22-2018 11:35 PM
‎02-22-2018 11:35 PM

ACS is end of life.

I would suggest upgrading to ISE 2.X and redoing this test.

in any case I will forward this observation to the right team to see if anyone is aware of this .

Thanks,

Nidhi

View solution in original post

0 Helpful
hslai
Cisco Employee
Cisco Employee
‎02-23-2018 10:26 PM
‎02-23-2018 10:26 PM

Yes, you are correct that customers may consider IPSec to secure the control-plane communications, in case not already protected by another means.

0 Helpful
Latest Contents
Cisco and Radware - Securing your digital future
Created by Kelli Glass on 04-21-2021 05:16 PM
0
0
0
0
  Application Protection, Availability & Security Join our webinar May 6th to gain valuable industry insights into the most recent application cyber attacks and to understand the potential impact bot traffic is having on your business. Lear... view more
Cisco Wants your Feedback on the Secure Firewall Management ...
Created by caiharve on 04-21-2021 04:36 PM
0
0
0
0
Review the Cisco Secure Firewall Management Center (formally named "Firepower Management Center") on TrustRadius and receive a $25 gift card!     
ISE as RADIUS server for Password + Smart Card Authenticatio...
Created by deepuvarghese1 on 04-17-2021 06:22 AM
1
10
1
10
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS... view more
Email Security - QuoVadis Root Certificate Decommission Migh...
Created by dmccabej on 03-30-2021 09:32 AM
0
0
0
0
Problem Description For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b... view more
ISE REST APIs Webinar: April 6/7, 2021
Created by thomas on 03-25-2021 07:57 PM
2
5
2
5
  Register Now Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli... view more
Content for Community-Ad