I had a similar issue before when deploying TACACS and i can confirm that

it is an IOS issue. If i recall correctly, it was version prior to 12.2 that had the issue of displaying the tacacs key in clear.

Dear All,

Thanks for every one who have given there comments about this issue.

Yes i checked all devices and found that its there only in 12.2 version and prior tot this(mean Key is not encrypted in 12.2 IOS ).there is not problem with 12.3 or higher

iam not sure is it IOS bug, can any one clarufy on the same

KSK

Here is my 2c.

What you're seeing is an IOS bug because I am also running IOS version 12.2 and it is working for me:

C3550-lab#sh run | i password-

service password-encryption

C3550-lab#sh run | i tacacs-server

tacacs-server host 192.168.3.10 key 7 0110050D5E18030C

tacacs-server directed-request

C3550-lab#sh flash:

Directory of flash:/

3 -rwx 2964 Feb 3 2009 18:05:08 +00:00 vlan.dat

4 -rwx 322 Mar 11 2009 19:14:47 +00:00 system_env_vars

5 -rwx 12146 Mar 12 2009 12:34:42 +00:00 config.text

6 -rwx 46 Mar 12 2009 12:34:42 +00:00 private-config.text

8 -rwx 7144860 Mar 1 1993 06:10:15 +00:00 c3550-ipservicesk9-mz.122-25.SEE4.bin

7 -rwx 0 Mar 11 2009 19:14:47 +00:00 env_vars

9 -rwx 2072 Mar 12 2009 12:34:42 +00:00 multiple-fs

15998976 bytes total (3850240 bytes free)

C3550-lab#

It is also working on 12.2(15)T17 as well.

Therefore, a logical conclusion is "it is very likely an IOS bug"

KSK

Did you not understand my previous explanation that this is not an IOS bug. In earlier releases (like 12.2) the TACACS key was not included in the addresses protected by service password-encryption. IOS 12.2 is behaving just exactly as Cisco intended it to by not encrypting the TACACS key.

If it is important to have the TACACS key be encrypted then you will need to update the IOS version that you are running in those routers.

David

12.2 in the 3550 is quite different from 12.2 in router IOS. I suspect that KSK is looking at routers and not at 3550s.

I remember very clearly in older versions of router IOS that the TACACS key was normally not encrypted.

HTH

Rick

HTH

Rick

Hi

Thanks for the update

Could you please paste the link/doc which says that 12.2 version does not support tacacs key

KSK

I like to deal with facts and not fiction. From what I am seeing, 12.2 DOES support encryption of the TACACS key:

VXR7204#sh flash:

-#- ED ----type---- --crc--- -seek-- nlen -length- ---------date/time--------- name

1 .. image ECB29DF2 D0A824 25 13543332 Mar 12 2009 13:40:45 +00:00 c7200-ik9s-mz.122-46a.bin

7034844 bytes available (13543460 bytes used)

VXR7204#

VXR7204 uptime is 3 minutes

System returned to ROM by reload at 13:54:00 UTC Thu Mar 12 2009

System image file is "slot0:c7200-ik9s-mz.122-46a.bin"

Last reload reason: Reload command

VXR7204#sh run | i tacacs-server

tacacs-server host 192.168.3.10 key 7 1511080501392E27

tacacs-server directed-request

VXR7204#

The point I am trying to prove here is that IOS version 12.2, either IOS routers or IOS switches, does encrypt the TACACS key in the configuration, as demonstrated in my previous examples for the Catalyst 3500 switch and VXR7204 router