08-08-2015 08:17 PM - edited 03-10-2019 10:58 PM
Background: I am the technical lead on a project to unite a Fortune 100 company’s routers and switches under a unified Cisco ACS 5.x deployment. This ACS deployment actually was pre-existing and already talks to Active Directory and RSA SecureID. This organization is VERY security aware and has good reason to be but for historical reasons some of the “silos” still use local username/passwords.
Problem: The issue is while the SSH session is AES256 encrypted and the AD connection is AES 256 encrypted the password is sent in clear text inside the TACACS+ packet. Even worse, the TACACS+ packet is "encrypted" by using an MD5 hash of the "secret" and simple XOR. MUCH worse is the fact the secret cannot be kept secret at all since it is stored in plain-text equivalent type-7 in the config*. This means that I have to consider the possibility that any administrator for a particular device can trivially steal the password of any other user who logs in. This is unacceptable and I have to find a solution.
*Yes, I am aware of the Secure Reversible Storage for AAA feature. As of now it is only supported on ISR routers and slated to be initially released to switches sometime in the next 12-18 months. Realistically that means for the next 5 years I will have devices that don’t support it
What I want/need:
I need some way to secure the password (and preferably username but not required) inside the TACACS+ (or RADIUS, I don’t care) portion of the traffic. Cisco’s documentation that they “encrypt” TACACS+ traffic is a bad joke. MAYBE it wasn’t such an issue 20 years ago, but MD5 and clear text secrets are totally not acceptable in 2015 and there must be some way to adequately secure this traffic.
Things I have looked at so far:
<RANT>
NOTE: If someone proves me wrong and is able to show that despite hours of searching documentation and multiple conversations with my account team there is (in currently available IOS) a way to secure the above traffic I will print this rant out and HAPPILY eat it AND post the picture of me doing it!!! And yes I am 100% serious!
At this point I need to vent. I have a dedicated Cisco account team who I highly respect that is DEDICTED to my Company 100%. When I bring this up and ask how to solve this problem all I get back is “Meh”. NO ONE in Cisco seems to care at all and Cisco as a company hasn’t even done the easy stuff to put even a thin veneer of Security on admin logins. To wit:
I really don’t get it that I am the only person who seems to be saying this stuff but partly I blame Cisco. Their document touts how “TACACS encrypts the whole packet” without mentioning the encryption is 20 years old, uses a hash considered trash by today’s standards, the passwords are stored in clear text , and the coup de grace: that once you have the secrets and some traffic Wireshark will give you cleartext passwords all day long!
We are 15 years into the 21’st century and I would have thought we would have gotten past using insecure protocols written when AOL CD’s were a major thing.
</RANT>
09-08-2017 05:23 PM
Hi wvunathans,
Over my past few years with Cisco products, this has constantly been a pain point for me also. The lack of interest in updating old protocols that are vastly insecure - I have yet to find a reason for this and wonder what others are doing to mitigate it. I rarely find an answer. Were you able to now that its been 2 years since your post?
11-17-2017 11:00 AM
07-12-2023 02:03 PM
The TACACS+ RFC8907 was updated in 2020 to clarify the old method as "obfuscation". In the spring of 2022, Cisco submitted a draft update for RFC8907 using TLS and SSH keys. Drafts are only good for 6 months before they expire (fall 2022). I do not know its status or whether Cisco is updating their TACACS+ per that draft.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide