Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
281
Views
0
Helpful
2
Replies

ISE Store User Password During TACACS+ with LDAP? Encryption Details

ISENAC1122
Level 1
Level 1

‎06-18-2025 06:52 AM

I have question about how Cisco ISE handles user passwords during TACACS+ authentication when LDAP is used as the external identity source.

From what I understand, ISE forwards the user credentials to the LDAP server for authentication — but does it store the password locally on the ISE server during that process?

  • Is the password just held temporarily in RAM, or is it written anywhere to disk?

  • If it's stored in memory, does anyone know what kind of encryption or protection (e.g., SHA-256 or other) is used?

Thanks in advance.

0 Helpful
2 Replies 2

Aref Alsouqi
VIP
VIP

‎06-19-2025 02:11 AM - edited ‎06-19-2025 02:13 AM

Those are good questions and I don't know definite answers to them. However, I don't believe ISE stores the passwords locally on the disk for those users that are authenticated against an external identity source. Instead, ISE stores locally the users' credentials of its local users and it does protect them with hashing and encryption.

In your case we have two parts of transmitting the credentials, once between the network device and ISE and that will be over TACACS protocol which encrypts the payload, and then we have a transmission that would happen between ISE and the AD over LDAP. LDAP by default doesn't encrypt the payload which means those credentials will be passing in clear text over the wire.

@thomas@Jason Kunst, or @Arne Bier might add more comments on this.

0 Helpful

Arne Bier
VIP
VIP
In response to Aref Alsouqi

‎06-19-2025 06:02 PM

I think that only an ISE Developer can tell you this kind of detail.

Not sure if you mean the LDAP password to BIND to the directory, or the user password that is compared against an object in the LDAP directory? When you configure the LDAP external identity source in ISE, you must enter the bind credentials in clear text - there is no way around that. What the app does with that string is hopefully to encrypt it, and then store it somewhere in the Oracle Database (most likely) which is where a lot of the ISE config lives.

As for the end client user password - that should most certainly NOT be stored on the disk (or logged in clear text) - I think only the ISE developers would tell you how that data flows through ISE. You'd hope they would take extra care with sensitive data, and free/cleanse the memory structures after the function has completed.

0 Helpful
Customers Also Viewed These Support Documents