cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

901
Views
3
Helpful
4
Replies
Highlighted
Beginner

Encryption for TACACS+ user passwords inside ISE2.2's Internal Identity Store

Hi All,

I'll just like to confirm that my understanding of how encryption is currently done for TACACS+ users in ISE 2.2 Internal Identity Store:

With reference to this link: http://pmbuwiki.cisco.com/Products/ISE/Technical/Security#How_is_information_encrypted_in_ISE_for_local_Identity_Storage…

As mentioned in the document above, only the users' passwords (and not the rest of the fields/columns) in the database are hashed using SHA256 and stored without any cryptography "salt" component? May I know what is the recommended approach if customer has an audit compliance requirement that users' passwords have to be hashed and "salted" before kept on any DB?

Best Regards,

Jimmy

4 REPLIES 4
Highlighted
Beginner

Just to add on, I've also found this thread: https://cisco.jiveon.com/thread/134207

This kind of adds on additional information to the previous document.

However, it still says that non ISE-admin users' passwords are not salted prior to hashing with the AES128.

May I know is this considered acceptable for TACACS+ users' passwords?

Best Regards

Highlighted

Enable passwords are stored the same as regular passwords. Please contact our PM if you have additional requirements.

Highlighted
Beginner

Thanks for response. Appreciate if you could also point me in the right direction to the PM for such matters?

Highlighted

I just emailed you separately on this.

Content for Community-Ad