Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5543
Views
5
Helpful
2
Replies

Tacacs key encryption

keith0001111111
Level 1
Level 1

‎06-07-2018 03:06 PM - edited ‎02-21-2020 10:57 AM

I am trying to improve the security of some of our switches, one of the things I want to do is change all the tacacs keys from encryption level from type 7 to type 6 (aes).

some of the switches have the option by default for "tacacs-server key 6 password" where as other switches only have option 0 and 7 for encryption level.

Even when I enable aes "password encryption aes" and set the aes encryption key "key config-key password-encrypt TestPassword" I still dont get option 6 for my encryption level

This is on Version 15.2(4r)E3.

I have the same issue with some other catalyst switches as well.

can anyone advise if only some firmware versions support this level of encryption or if I'm missing something

thanks,

Keith

4 people had this problem
Labels:
2 Replies 2

ashstavegas
Level 1
Level 1

‎06-07-2018 03:09 PM

Hi. I also am looking for a workaround for this. Be interested to hear what the community has done with this. Google didn't find anything!

0 Helpful

perkin
Level 1
Level 1

‎04-17-2019 04:19 AM

Hello Keith

actually, I have a similar problem recently,
I do some google and cisco community and seems I found the solution on this and the reason I may not adopt this type6
1) why I may not try AES 256
it seems that AES needs to encrypted by the master key, which means that you cannot just copy the config and pasted to others device.
so that might be the problem even enable secret is not using type 6 but type 9 for more secure password you can copy.

 

2) the implementation,

seems that using key chain concept by encrypted an AES key before you applied on the tacacs key command

although the example is isakmp, with a reasonable guess the logic is the same I believe.

Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#key config-key password-encrypt testkey123
Router(config)#password encryption aes
Router(config)#^Z
Router#
Router#show running-config
Building configuration...
.....
password encryption aes
...
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 6 FLgBaJHXdYY_AcHZZMgQ_RhTDJXHUBAAB address 10.1.1.1


https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46420-pre-sh-keys-ios-rtr-cfg.html

 

https://community.cisco.com/t5/security-documents/why-you-should-be-using-scrypt-for-cisco-router-password-storage/ta-p/3157196

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents