cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
363
Views
0
Helpful
1
Replies

Cisco ACS 5.7 Usernames for devices appear to be case insensitive ?

Vic de
Level 1
Level 1

Hi,

 

I was wondering if anyone could advise on the following issue.

 

We have implemented Cisco ACS 5.7 and have noticed that the unsernames for the routers etc are authorised regardless of case sensivity.

 

In other words if you had a user on the system known as Mike, the ACS authorises the user if he enters MIke or MIKE.

 

Can anyone please advise on this as it appears to be a backward step in security or am I missing a setting on the ACS ?

 

Many Thanks

 

1 Reply 1

Nadav
Level 7
Level 7

Hi,

If you are using LDAP integration, then naturally since LDAP is case-insensitive for account names then it stands to reason that the username is case-insensitive. For AD integration, SMB can be either case-sensitive or not depending on configuration, but is usually case-insensitive to a certain complexity. It is then up to the authentication server (ACS) to decide how to treat the access-request. 

Therefore this isn't much of a security trade off from a username brute-force perspective since the underlying infrastructure operates as case-insensitive.

From what I can tell in the first versions of ACS 5.x, the server decided that authentication would be performed case-insensitive and authorization would be case-sensitive. I suppose that at some point along the way Cisco changed this. Take a look at:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtk64903/?referring_site=bugquickviewredir

P.S.  Local usernames within Cisco equipment can be made to be case-sensitive using the local-case keyword within aaa commands.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: