Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
756
Views
4
Helpful
5
Replies

Is it possible to HASH the LDAP Password in Cisco ASA

Go to solution
rakshit jethva
Level 1
Level 1

‎07-18-2023 02:54 AM

Hello,

We have Cisco ASA 5555 and has below LDAP configuration.

aaa-server aaa-radius-rsa (inside) host 10.0.0.1
key TEST123
aaa-server aaa-ldap-test protocol ldap
aaa-server aaa-ldap-test (inside) host 10.0.0.1
server-port 636
ldap-base-dn OU=TEST,DC=TEST,DC=PI,DC=TEST,DC=TEST,DC=TEST,DC=TEST,DC=COM
ldap-scope subtree
ldap-naming-attribute userPrincipalName
ldap-login-password PASSWORD_NO_HASH
ldap-login-dn TEST@TEST.COM
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map UserAllowDial

Can anyone let me know whether we can HASH LDAP KEY (TEST123) and ldap-login-password (PASSWORD_NO_HASH)?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to rakshit jethva

‎07-18-2023 03:57 AM

@rakshit jethva enable password encryption - https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/configuration/general/asa-916-general-config/basic-hostname-pw.html

and the password can be saved as a type 8 password. Type 8 passwords are hashed with the Password-Based Key Derivation Function version 2 (PBKDF2), SHA-256

View solution in original post

5 Replies 5

Go to solution
Flavio Miranda
VIP
VIP

‎07-18-2023 03:08 AM

Hi @rakshit jethva 

The ASA supports the following SASL mechanisms, listed in order of increasing strength:

  • Digest-MD5—The ASA responds to the LDAP server with an MD5 value computed from the username and password.

  • Kerberos—The ASA responds to the LDAP server by sending the username and realm using the GSSAPI Kerberos mechanism.

I dont believe it is possible,  at least not with personal computer. 

Go to solution
MHM Cisco World
VIP
VIP

‎07-18-2023 03:21 AM

I will check if asa support ldap over ssl'

Fpr support it

Ldap over ssl make your connect secure

Go to solution
rakshit jethva
Level 1
Level 1

‎07-18-2023 03:22 AM

Thanks. We have an audit and they want to know whether it is possible to encrypt the password and it is now saved as CLEAR TEXT.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to rakshit jethva

‎07-18-2023 03:57 AM

@rakshit jethva enable password encryption - https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/configuration/general/asa-916-general-config/basic-hostname-pw.html

and the password can be saved as a type 8 password. Type 8 passwords are hashed with the Password-Based Key Derivation Function version 2 (PBKDF2), SHA-256

Go to solution
MHM Cisco World
VIP
VIP
In response to rakshit jethva

‎07-18-2023 04:00 AM

did you use enable password encryption ? if Yes and still it show clear text then check below bug 
Cisco Bug: CSCse41071 - ldap-login-password not hidden in config

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card