cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

235
Views
0
Helpful
2
Replies
iagyte
Cisco Employee

Audit Point picks up Tacacs+ Vulnerability

Background:

My customer has raised a question based on a vulnerability raised by their security team on TACACS+.  The actual audit point was that there is “no integrity checking available and the use of MD5 encryption

 

  1. This issue was this raised as part of a security audit
  2. Question relates to using ACS with TACACS+ feature
  3. Software version is based on ACS 5.4

The security team have also referenced - https://supportforums.cisco.com/t5/aaa-identity-and-nac/how-to-secure-tacacs-authentication/td-p/2735412 and there are some very good points made here.

Has anyone else within the ISE community see this before?

Is this the recommendation https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210519-Configure-ISE-2-2-IPSEC-to-Secure-NAD-I.html

Thanks..

1 ACCEPTED SOLUTION

Accepted Solutions
Nidhi
Cisco Employee

ACS is end of life.

I would suggest upgrading to ISE 2.X and redoing this test.

in any case I will forward this observation to the right team to see if anyone is aware of this .

Thanks,

Nidhi

View solution in original post

2 REPLIES 2
Nidhi
Cisco Employee

ACS is end of life.

I would suggest upgrading to ISE 2.X and redoing this test.

in any case I will forward this observation to the right team to see if anyone is aware of this .

Thanks,

Nidhi

View solution in original post

hslai
Cisco Employee

Yes, you are correct that customers may consider IPSec to secure the control-plane communications, in case not already protected by another means.

Content for Community-Ad