Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3105
Views
15
Helpful
8
Replies

Keys do not change from clear text to key 6th

EdouardZorrilla0939
Level 1
Level 1

‎09-05-2021 08:57 AM

Greetings Gents,

 

I have this IOS 15.2(7)E3 running on 2960X.

 

I have set:

 

(config)#key config-key password-encrypt ***

(config)#password encryption aes 

 

 However, my tacacs and radius keys do not get encrypted using 'key 6', like in this example. They are still shown in clear-text.

 

Configure the Encrypt Pre-shared Keys in Cisco IOS Router - Cisco

 

Could you please advise what else I am missing.

 

Thanks,

Edouard.

0 Helpful
8 Replies 8

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-05-2021 11:02 PM

Hi @EdouardZorrilla0939,

I believe you'll need command 'service password-encryption' (although I don't have switch next to me to be sure). Also, if I remember correctly, it might not be that this command will encrypt your already configured password, and that you'll have to retype them.

What I do remember is that you need to remember/save password used in 'key config-key password-encrypt XXX', as you won't be able to restore configuration later without it (in terms of password recovery).

BR,

Milos

0 Helpful

EdouardZorrilla0939
Level 1
Level 1
In response to Milos_Jovanovic

‎09-06-2021 12:02 AM

Hi Milos,

 

The password-type 7 is weak, and I am looking to use password-type 6 using AES as encryption. 

 

tacacs server ABC
address ipv4 1.1.1.1
key cisco123

 

I need to encrypt the tacacs's key in our 2960x, but I can't.

 

I will open a ticket with Cisco TAC tomorrow.

 

Regards,

Edouard.

0 Helpful

EdouardZorrilla0939
Level 1
Level 1
In response to Marvin Rhoads

‎09-07-2021 08:24 AM

Hi Marvin,

 

Thanks for sharing this information. I have the following IOS version:

 

Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(7)E3, RELEASE SOFTWARE (fc3)

 

However, the command syntax " tacacs server key 6 key-name." is not available.

 

Best regards,

Edouard.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to EdouardZorrilla0939

‎09-08-2021 11:14 AM

That's odd. It should work according to the documentation. Can you open a TAC case on it?

radics.tibor1974
Level 1
Level 1

‎09-17-2021 12:36 AM

Hello guys. I can confirm, it doesnt work.

I created a master key, then encrypted them via aes - at least tried to - but the clear text stays . Copy doesnt work too, although the same master key is used.

Has somebody already opened a TAC case. I´m really tired about open new cases, I already have some regarding other issues

0 Helpful

EdouardZorrilla0939
Level 1
Level 1
In response to radics.tibor1974

‎09-17-2021 09:08 AM

I've opened a case with Cisco TAC and I will update you guys when I have meaningful information.

0 Helpful

Chris345
Level 1
Level 1
In response to EdouardZorrilla0939

‎09-15-2023 01:17 PM

Did you end up getting a response, I'm looking to do the same? That is to move my weak 7 type passwords in the tacacs server commands to type 6.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card