Solved: Re: TACACS configuration clarification

3iron · ‎02-20-2019

Hi,

I have been reading through the following tacacs configuration guide;

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/sec_tacacsplus.html#71793

Example configuration is provided as follows;

tacacs-server key 7 "ToIkLhPpG"
tacacs-server host 10.10.2.2 key 7 "ShMoMhTl"

I'm having a bit of trouble with this. According to the document, key ( 7 ) indicates an encrypted key will follow but the preshared key supplied looks to be plain text. Its also "quoted" but I did not think quotes were escape characters and in this example would form part of the string?

Should this not read;

tacacs-server key 0 ToIkLhPpG
tacacs-server host 10.10.2.2 key 0 ShMoMhTl

Or am I missing something?

Thanks

Ben

ngkin2010 · ‎02-20-2019

Hi,

>>> tacacs-server key 7 "ToIkLhPpG"
>>> tacacs-server host 10.10.2.2 key 7 "ShMoMhTl"

"ToIkLhPpG" and "ShMoMhTl" are the encrypted string, not the plain text.

View solution in original post

ngkin2010 · ‎02-20-2019

Hi,

>>> tacacs-server key 7 "ToIkLhPpG"
>>> tacacs-server host 10.10.2.2 key 7 "ShMoMhTl"

"ToIkLhPpG" and "ShMoMhTl" are the encrypted string, not the plain text.

3iron · ‎02-20-2019

Hi ngkin2010

OK thanks for the confirmation. Mixed up IOS and NXOS. I understand NXOS uses AES to encrypt the key?

Cheers

Ben

ngkin2010 · ‎02-20-2019

Hi 3iron,

I am not sure which encryption algorithm used for type 7 password in NX-OS, but it's not AES encryption.

Type 6 password is encrypted by AES encryption, which require user-defined master key and AES encryption feature enabled.

Rob Ingram · ‎02-20-2019

Hi,
Type 7 uses a Vigenere cipher that was cracked years ago and is considered insecure.
As noted Type 6 password uses AES encryption, it is considerably more secure than Type 7.

HTH

3iron · ‎02-21-2019

Many thanks ngkin2010 and RJI for taking the time to reply to this - much appreciated.