Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1779
Views
10
Helpful
4
Replies

TACACS plus psk encryption

JerryLarson7922
Level 1
Level 1

‎02-27-2020 11:54 AM

We are trying to convert or move away from our level TACACS+ 7 psk to a stronger encryption method. We have been searching documents and have not come up with an answer. we are testing this on Cisco cat 9300 switches. Can anybody shed light on this for us on the 9300 platform?

thanks, 

0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-27-2020 08:24 PM

As far as I can tell it's not currently an option on the Catalyst 9300 series as of the latest 17.1 (Amsterdam train) software.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-1/command_reference/b_171_9300_cr/security_commands.html#wp3900897971

Other switches do support it. For example, the Catalyst 3650 with IOS-XE 15.4(1)T or later:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-xe-3se-3650-cr-book/sec-d1-xe-3se-3850-cr-book_chapter_0111.html#wp2111876750

The Cisco feature navigator tool does not return any results for this specific feature:

https://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp

(searched by both "TACACS" and "AES")

JerryLarson7922
Level 1
Level 1
In response to Marvin Rhoads

‎02-28-2020 11:26 AM

Hello Marvin , 

Thank you for your response. My network engineer kept searching yesterday and found the following. 

 

(config)#key config-key password-encryption (master key)
(config)#password encryption aes
(config)#tacacs server (server)
(config-server-tacacs)#key (key)

 

sh run 

(TACACS)

tacacs server server name 
address ipv4 server IP

key 6 XXXXXXXXXXXXXXXXXXXXXXXXXX ( i made all x's

 

https://community.cisco.com/t5/security-documents/why-you-should-be-using-scrypt-for-cisco-router-password-storage/ta-p/3157196

 

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to JerryLarson7922

‎02-28-2020 06:51 PM

@JerryLarson7922 nice find! Thanks for sharing.

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to JerryLarson7922

‎02-29-2020 06:57 AM

Hi,

 

    That's a beautiful solution, but be aware of the following:

          - the configured key is NOT stored in the configuration, you just need to remember it, or if you forget it, delete the old one (meantime services will no longer work, cause the clear-text key cannot be decrypted) and add a new one

          - there used to be many bugs with this feature, where the device will somehow loose the key after a reboot, thus breaking the services making use of the encrypted keys; use a stable IOS version to avoid such issues.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top