cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1508
Views
3
Helpful
4
Replies

Encryption for TACACS+ user passwords inside ISE2.2's Internal Identity Store

Jimi
Beginner
Beginner

Hi All,

I'll just like to confirm that my understanding of how encryption is currently done for TACACS+ users in ISE 2.2 Internal Identity Store:

With reference to this link: http://pmbuwiki.cisco.com/Products/ISE/Technical/Security#How_is_information_encrypted_in_ISE_for_local_Identity_Storage…

As mentioned in the document above, only the users' passwords (and not the rest of the fields/columns) in the database are hashed using SHA256 and stored without any cryptography "salt" component? May I know what is the recommended approach if customer has an audit compliance requirement that users' passwords have to be hashed and "salted" before kept on any DB?

Best Regards,

Jimmy

4 Replies 4

Jimi
Beginner
Beginner

Just to add on, I've also found this thread: https://cisco.jiveon.com/thread/134207

This kind of adds on additional information to the previous document.

However, it still says that non ISE-admin users' passwords are not salted prior to hashing with the AES128.

May I know is this considered acceptable for TACACS+ users' passwords?

Best Regards

hslai
Cisco Employee
Cisco Employee

Enable passwords are stored the same as regular passwords. Please contact our PM if you have additional requirements.

Jimi
Beginner
Beginner

Thanks for response. Appreciate if you could also point me in the right direction to the PM for such matters?

hslai
Cisco Employee
Cisco Employee

I just emailed you separately on this.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers