Encryption for TACACS+ user passwords inside ISE2.2's Internal Identity Store

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-03-2017 02:47 AM
Hi All,
I'll just like to confirm that my understanding of how encryption is currently done for TACACS+ users in ISE 2.2 Internal Identity Store:
With reference to this link: http://pmbuwiki.cisco.com/Products/ISE/Technical/Security#How_is_information_encrypted_in_ISE_for_local_Identity_Storage…
As mentioned in the document above, only the users' passwords (and not the rest of the fields/columns) in the database are hashed using SHA256 and stored without any cryptography "salt" component? May I know what is the recommended approach if customer has an audit compliance requirement that users' passwords have to be hashed and "salted" before kept on any DB?
Best Regards,
Jimmy
- Labels:
-
Identity Services Engine (ISE)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-03-2017 08:29 AM
Just to add on, I've also found this thread: https://cisco.jiveon.com/thread/134207
This kind of adds on additional information to the previous document.
However, it still says that non ISE-admin users' passwords are not salted prior to hashing with the AES128.
May I know is this considered acceptable for TACACS+ users' passwords?
Best Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-11-2017 11:20 AM
Enable passwords are stored the same as regular passwords. Please contact our PM if you have additional requirements.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2017 09:30 AM
Thanks for response. Appreciate if you could also point me in the right direction to the PM for such matters?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2017 12:51 PM
I just emailed you separately on this.
