02-22-2018 01:23 AM
Background:
My customer has raised a question based on a vulnerability raised by their security team on TACACS+. The actual audit point was that there is “no integrity checking available and the use of MD5 encryption”
The security team have also referenced - https://supportforums.cisco.com/t5/aaa-identity-and-nac/how-to-secure-tacacs-authentication/td-p/2735412 and there are some very good points made here.
Has anyone else within the ISE community see this before?
Is this the recommendation https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210519-Configure-ISE-2-2-IPSEC-to-Secure-NAD-I.html
Thanks..
Solved! Go to Solution.
02-22-2018 11:35 PM
ACS is end of life.
I would suggest upgrading to ISE 2.X and redoing this test.
in any case I will forward this observation to the right team to see if anyone is aware of this .
Thanks,
Nidhi
02-22-2018 11:35 PM
ACS is end of life.
I would suggest upgrading to ISE 2.X and redoing this test.
in any case I will forward this observation to the right team to see if anyone is aware of this .
Thanks,
Nidhi
02-23-2018 10:26 PM
Yes, you are correct that customers may consider IPSec to secure the control-plane communications, in case not already protected by another means.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide