Re: Encryption for TACACS+ user passwords inside ISE2.2's Internal Identity Store

Jimi · ‎09-03-2017

Hi All,

I'll just like to confirm that my understanding of how encryption is currently done for TACACS+ users in ISE 2.2 Internal Identity Store:

With reference to this link: http://pmbuwiki.cisco.com/Products/ISE/Technical/Security#How_is_information_encrypted_in_ISE_for_local_Identity_Storage…

As mentioned in the document above, only the users' passwords (and not the rest of the fields/columns) in the database are hashed using SHA256 and stored without any cryptography "salt" component? May I know what is the recommended approach if customer has an audit compliance requirement that users' passwords have to be hashed and "salted" before kept on any DB?

Best Regards,

Jimmy

Jimi · ‎09-03-2017

Just to add on, I've also found this thread: https://cisco.jiveon.com/thread/134207

This kind of adds on additional information to the previous document.

However, it still says that non ISE-admin users' passwords are not salted prior to hashing with the AES128.

May I know is this considered acceptable for TACACS+ users' passwords?

Best Regards

hslai · ‎09-11-2017

Enable passwords are stored the same as regular passwords. Please contact our PM if you have additional requirements.

Jimi · ‎09-27-2017

Thanks for response. Appreciate if you could also point me in the right direction to the PM for such matters?

hslai · ‎09-27-2017

I just emailed you separately on this.