cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
13511
Views
75
Helpful
18
Replies
rb300
Beginner

3850 FUJI 16.9 code TACACS+ configuration

Does anyone have any advice of the "correct" configuration of TACACS+ on the 3850 series.

I have recently upgraded a switch to 16.9.3 (FUJI) code.

On older switches I would use the following sample to configure TACACS+

aaa new-model

tacacs server ServerA
address ipv4 10.10.10.10
key abcd1234

I am now presented with (after the last command "key abcd1234")

WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type

I have been searching for a "new" syntax for hte command but have been unseccesful.

Cisco documentation from the "Security Configuration Guide, Cisco IOS XE Fuji 16.9.x"

Chapter: Configuring TACACS+
How to Configure Switch Access with TACACS+"
Identifying the TACACS+ Server Host and Setting the Authentication Key

This sounded exactly what I was looking for. But the summary and detailed steps do not include anything for setting the Authentication Key

"SUMMARY STEPS"
1. enable
2. configure terminal
3. tacacs server server-name
4. address {ipv4 | ipv6 } ip address
5. exit
6. aaa new-model
7. aaa group server tacacs+ group-name
8. server ip-address
9. end
10. show running-config
11. copy running-config startup-config

I appreciate that the old syntac is still accepted, but would like to get the new syntax if possible.

 

Thanks

18 REPLIES 18
Seb Rupik
VIP Advisor

Hi there,

According to the 16.9 documentation the syntax is:

!
aaa new-model
!
tacacs-server host <ip_address>
tacacs-server key <key>
!

...this will set a global key to be used by all defined TACACS servers.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-16-9/sec-usr-tacacs-xe-16-9-book/sec-cfg-tacacs.html

 

cheers,

Seb.

 

hi working one off mine , fill in the xxxs , ip address,  key and source interface

when tacacs is down this will let you in by local username too

 

aaa group server tacacs+ xtacacs
 server-private x.x.x.x key xxxxxxxxxxxxxxxxx
 server-private x.x.x.x key xxxxxxxxxxxxxxxxx
 ip tacacs source-interface xxxxxxxxxx
!
aaa authentication login default group xtacacs local enable
aaa authentication enable default group xtacacs enable
aaa authorization exec default group xtacacs local
aaa accounting exec default start-stop group xtacacs
aaa accounting commands 0 default start-stop group xtacacs
aaa accounting commands 1 default start-stop group xtacacs
aaa accounting commands 15 default start-stop group xtacacs
aaa accounting network default start-stop group xtacacs
aaa accounting connection default start-stop group xtacacs
aaa accounting system default start-stop group xtacacs
!
!
!
aaa session-id common
no ip source-route

Thanks Mark

 

TACACS works OK, my question was more related to rhe correct syntax for adding the authentication key as part of the server definition, using the newer IOS. Just out of interest did you get the same message when entering the key as pary of the server-private line? On the model I have running 16.9.3 I do.

Hi
no because im using it under the AAA which is the newer method , server private ....... key

Thanks again Mark

With access to the equipment, I completed the suggested:

 

ENTER_HOSTNAME_HERE#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ENTER_HOSTNAME_HERE(config)#do sh run | inc aaa
aaa new-model
aaa session-id common
ENTER_HOSTNAME_HERE(config)#aaa group server tacacs+ xtacacs
ENTER_HOSTNAME_HERE(config-sg-tacacs+)#server-pri
ENTER_HOSTNAME_HERE(config-sg-tacacs+)#server-private 10.10.10.10 key cisco
WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
ENTER_HOSTNAME_HERE(config-sg-tacacs+)#
*Apr 5 06:10:24.799 AEST: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
*Apr 5 06:10:24.799 AEST: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type

 

Doesnt surprise me that there are differences between the devices though.

 

Rob

Hi,

 

    To specify the key with the new AAA server definition format:

 

tacacs server TEST

 address ipv4 1.1.1.1 

 key whatever

 

Regards,

Cristian Matei.

Thanks Seb

I agree this is what the documentation says, but i still get the message saying that the password 0 method is soon to be deprecated. Im trying to find the new syntax.

for example the username command has changed from

username fred privelge 15 password cisco

to

username fred privelege 15 authentication-key scrypt secret cisco

this sets the passwords to type 9, not the 7 or 5 you normally see.

I am also having this exact problem with a Cisco ASR920 router running Fuji-16.09.03 and I find myself here at this forum.

 

Here is a snippet of our config:

 

aaa group server tacacs+ NETOPS
 server-private <server-ip> key 7 <tacacs-key>
 ip tacacs source-interface GigabitEthernet0

 

The router is complaining as follows:

WARNING: Command has been added to the configuration using a type 7 password. However, type 7 passwords will soon be deprecated. Migrate to a supported password type

 

The issue is that there is no configuration option to use a stronger algorithm such as scrypt (like there is for the fallback username and enable passwords).

 

It is apparent that someone at Cisco has gone as far as implementing the warning message for the TACACS key, but no means to use a better encryption algorithm for the key storage.  I would like to know:

 

1) If indeed there is another way to configure this now with a better algorithm such as scrypt?

2) If not, when does Cisco plan to provide it?

 

 

stewart-ian, I second your questions.  I'm struggling with the same issue on a new 4331 router.  If there is a new way to enter the syntax, that would be my preferred path.  However, I'm not finding any way to do so.

Peter Paluch
Hall of Fame Cisco Employee

Hi everyone,

The warning message displayed when entering a plaintext password for TACACS+ (and RADIUS, and username ... password command) is truly confusing - it seems to suggest that the CLI won't accept plaintext passwords in the future, or that the command syntax will be changing. None of this is true, fortunately :)

What it says is this: At some point in the future, IOS-XE won't store plaintext passwords in running-config or startup-config anymore. It will only store hashed passwords (for authentication purposes when the knowledge of the password plaintext isn't needed anymore) and securely encrypted passwords (for those passwords whose original plaintext still needs to be recoverable). This requires that the password is either already hashed/encrypted at the time you enter it in CLI, or that your switch is configured with strong password encryption so that after you enter the password in plaintext, IOS-XE is immediately able to encrypt it and store in the configuration in the encrypted form. However, IOS-XE will still accept plaintext passwords entered in a CLI, it just won't store them as plaintext in the configuration.

Secure encrypted passwords, also known as Type-6 passwords, can be enabled on the device using the following commands:

configure terminal
key config-key password-encryption
password encryption aes
end

The key config-key password-encryption command will prompt you for a master key that will subsequently be used to encrypt all passwords in the configuration where this encryption is supported, including TACACS+ keys. The encryption of these passwords will be the enabled using the password encryption aes command - without this command, the master key may be configured but will not be used to protect the passwords in the configuration.

This is described in a couple of documents out there, including https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46420-pre-sh-keys-ios-rtr-cfg.html

If you enable the strong password protection using the two commands above, you will not receive the warning after you enter a new TACACS+ key anymore.

Give it a test and please let us know if it worked for you!

Best regards,
Peter

Cheers Peter this answers my question but even better resolves the issue with password-7 encrypted RADIUS secrets!

Having the same issue on 16.12.1 code, and I tried the above solution : 

 

 

XYZ-2M-32-3850(config)#key config-key password-encrypt
New key:
Confirm key:
XYZ-2M-32-3850(config)#password encryption aes
Master key change notification called without new or old key

XYZ-2M-32-3850(config)#

 

 

And as you can see it introduced a different issue for me.  Using DNA Center to push new tacacs config out to devices that respond with something other than prompts requires special formatting in VTL.

 

Who writes these error messages?  Setting the password encryption to AES calls a Master Key Change Notification ? 

There is no way to set the Master Key in the password encryption statement

 

This will break a programmatic configuration push by several different scripting tools, and provides nothing helpful to indicate how to get around it or why the error appears.

 

Brian S. Turner
CCIE 6145

Worse yet, in 16.9.5 (on 3650s) it looks like you can use "key config-key password-encrypt mypasswordhere" in a script, but it won't work, it won't error, it just won't work, and all keys it generates are still under the old scheme, it only seems to work from the CLI by hand.  So to baseline a device, we have to run that command by hand, then we can push out the rest by script.

 

Even worse, it looks like RADIUS (802.1x/DOT1X) breaks if you do use "password encryption aes" and have FIPS enabled, oh you can have type 7 passwords and issue the command, but it will leave them type 7 and it will still work, but when you remove them and re-add them they will become type 6, and will no longer work. When I say they don't work, I mean requests don't even get sent to the RADIUS server anymore. I've packet captured the VLAN traffic from a switch upstream and there is nothing going to port 1812, 1813, 1645, and 1646 from the device with type 6 RADIUS passwords after the device switches to type 6 RADIUS passwords.

If I remove the "password encryption aes", command, remove the RADIUS server entry with the type 6 passwords and re-add it right back in the exact same way, they go in as type 7 again, and RADIUS works perfect again.

 

Randomly TACACS and SNMP continue to work fine with either type.

Peter Paluch
Hall of Fame Cisco Employee

Hello @hemmerling,

I sincerely suspect that if the key config-key password-encrypt works only when entered by hand, and not from script, then there are very likely some extra characters coming in from the script that become a part of the master key. It may be a whitespace, or it may be different newline characters from what is expected and sufficient for IOS CLI (such as CRLF instead of just CR).

Can you double-check the script and play a little with the newline setting? There is a difference between \r (CR), \f (LF), and \n (which may translate to CRLF, CR, LF or something even more different depending on the default OS type where you run the script). Cisco IOS CLI should be fine with CR but please try out different options. Also, make sure that you do not pass any whitespace right after the password to the command.

I'd love to hear back from you.

Best regards,
Peter