Re: 3850 FUJI 16.9 code TACACS+ configuration

rb300 · ‎04-03-2019

Does anyone have any advice of the "correct" configuration of TACACS+ on the 3850 series.

I have recently upgraded a switch to 16.9.3 (FUJI) code.

On older switches I would use the following sample to configure TACACS+

aaa new-model

tacacs server ServerA
address ipv4 10.10.10.10
key abcd1234

I am now presented with (after the last command "key abcd1234")

WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type

I have been searching for a "new" syntax for hte command but have been unseccesful.

Cisco documentation from the "Security Configuration Guide, Cisco IOS XE Fuji 16.9.x"

Chapter: Configuring TACACS+
How to Configure Switch Access with TACACS+"
Identifying the TACACS+ Server Host and Setting the Authentication Key

This sounded exactly what I was looking for. But the summary and detailed steps do not include anything for setting the Authentication Key

"SUMMARY STEPS"
1. enable
2. configure terminal
3. tacacs server server-name
4. address {ipv4 | ipv6 } ip address
5. exit
6. aaa new-model
7. aaa group server tacacs+ group-name
8. server ip-address
9. end
10. show running-config
11. copy running-config startup-config

I appreciate that the old syntac is still accepted, but would like to get the new syntax if possible.

Thanks

Seb Rupik · ‎04-03-2019

Hi there,

According to the 16.9 documentation the syntax is:

!
aaa new-model
!
tacacs-server host <ip_address>
tacacs-server key <key>
!

...this will set a global key to be used by all defined TACACS servers.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-16-9/sec-usr-tacacs-xe-16-9-book/sec-cfg-tacacs.html

cheers,

Seb.

Mark Malone · ‎04-04-2019

hi working one off mine , fill in the xxxs , ip address, key and source interface

when tacacs is down this will let you in by local username too

aaa group server tacacs+ xtacacs

server-private x.x.x.x key xxxxxxxxxxxxxxxxx

ip tacacs source-interface xxxxxxxxxx

!

aaa authentication login default group xtacacs local enable

aaa authentication enable default group xtacacs enable

aaa authorization exec default group xtacacs local

aaa accounting exec default start-stop group xtacacs

aaa accounting commands 0 default start-stop group xtacacs

aaa accounting commands 1 default start-stop group xtacacs

aaa accounting commands 15 default start-stop group xtacacs

aaa accounting network default start-stop group xtacacs

aaa accounting connection default start-stop group xtacacs

aaa accounting system default start-stop group xtacacs

!

aaa session-id common

no ip source-route

rb300 · ‎04-04-2019

Thanks Mark

TACACS works OK, my question was more related to rhe correct syntax for adding the authentication key as part of the server definition, using the newer IOS. Just out of interest did you get the same message when entering the key as pary of the server-private line? On the model I have running 16.9.3 I do.

Mark Malone · ‎04-04-2019

Hi
no because im using it under the AAA which is the newer method , server private ....... key

rb300 · ‎04-04-2019

Thanks again Mark

With access to the equipment, I completed the suggested:

ENTER_HOSTNAME_HERE#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ENTER_HOSTNAME_HERE(config)#do sh run | inc aaa
aaa new-model
aaa session-id common
ENTER_HOSTNAME_HERE(config)#aaa group server tacacs+ xtacacs
ENTER_HOSTNAME_HERE(config-sg-tacacs+)#server-pri
ENTER_HOSTNAME_HERE(config-sg-tacacs+)#server-private 10.10.10.10 key cisco
WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
ENTER_HOSTNAME_HERE(config-sg-tacacs+)#
*Apr 5 06:10:24.799 AEST: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
*Apr 5 06:10:24.799 AEST: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type

Doesnt surprise me that there are differences between the devices though.

Rob

Cristian Matei · ‎03-10-2020

Hi,

To specify the key with the new AAA server definition format:

tacacs server TEST

address ipv4 1.1.1.1

key whatever

Regards,

Cristian Matei.

rb300 · ‎04-04-2019

Thanks Seb

I agree this is what the documentation says, but i still get the message saying that the password 0 method is soon to be deprecated. Im trying to find the new syntax.

for example the username command has changed from

username fred privelge 15 password cisco

to

username fred privelege 15 authentication-key scrypt secret cisco

this sets the passwords to type 9, not the 7 or 5 you normally see.

stewart-ian · ‎04-10-2019

I am also having this exact problem with a Cisco ASR920 router running Fuji-16.09.03 and I find myself here at this forum.

Here is a snippet of our config:

aaa group server tacacs+ NETOPS
server-private <server-ip> key 7 <tacacs-key>
ip tacacs source-interface GigabitEthernet0

The router is complaining as follows:

WARNING: Command has been added to the configuration using a type 7 password. However, type 7 passwords will soon be deprecated. Migrate to a supported password type

The issue is that there is no configuration option to use a stronger algorithm such as scrypt (like there is for the fallback username and enable passwords).

It is apparent that someone at Cisco has gone as far as implementing the warning message for the TACACS key, but no means to use a better encryption algorithm for the key storage. I would like to know:

1) If indeed there is another way to configure this now with a better algorithm such as scrypt?

2) If not, when does Cisco plan to provide it?

Teressa Corson · ‎06-06-2019

stewart-ian, I second your questions. I'm struggling with the same issue on a new 4331 router. If there is a new way to enter the syntax, that would be my preferred path. However, I'm not finding any way to do so.

nmitev · ‎08-06-2021

Hi,

Just had a situation few days back where i changed the syntax as mentioned in the documentation above, but it seems that the other syntax works fine too on 16.9.x

Peter Paluch · ‎07-03-2019

Hi everyone,

The warning message displayed when entering a plaintext password for TACACS+ (and RADIUS, and username ... password command) is truly confusing - it seems to suggest that the CLI won't accept plaintext passwords in the future, or that the command syntax will be changing. None of this is true, fortunately :)

What it says is this: At some point in the future, IOS-XE won't store plaintext passwords in running-config or startup-config anymore. It will only store hashed passwords (for authentication purposes when the knowledge of the password plaintext isn't needed anymore) and securely encrypted passwords (for those passwords whose original plaintext still needs to be recoverable). This requires that the password is either already hashed/encrypted at the time you enter it in CLI, or that your switch is configured with strong password encryption so that after you enter the password in plaintext, IOS-XE is immediately able to encrypt it and store in the configuration in the encrypted form. However, IOS-XE will still accept plaintext passwords entered in a CLI, it just won't store them as plaintext in the configuration.

Secure encrypted passwords, also known as Type-6 passwords, can be enabled on the device using the following commands:

configure terminal
key config-key password-encryption
password encryption aes
end

The key config-key password-encryption command will prompt you for a master key that will subsequently be used to encrypt all passwords in the configuration where this encryption is supported, including TACACS+ keys. The encryption of these passwords will be the enabled using the password encryption aes command - without this command, the master key may be configured but will not be used to protect the passwords in the configuration.

This is described in a couple of documents out there, including https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46420-pre-sh-keys-ios-rtr-cfg.html

If you enable the strong password protection using the two commands above, you will not receive the warning after you enter a new TACACS+ key anymore.

Give it a test and please let us know if it worked for you!

Best regards,
Peter

Network.Admin · ‎09-18-2019

Cheers Peter this answers my question but even better resolves the issue with password-7 encrypted RADIUS secrets!

bturner · ‎10-20-2019

Having the same issue on 16.12.1 code, and I tried the above solution :

XYZ-2M-32-3850(config)#key config-key password-encrypt
New key:
Confirm key:
XYZ-2M-32-3850(config)#password encryption aes
Master key change notification called without new or old key

XYZ-2M-32-3850(config)#

And as you can see it introduced a different issue for me. Using DNA Center to push new tacacs config out to devices that respond with something other than prompts requires special formatting in VTL.

Who writes these error messages? Setting the password encryption to AES calls a Master Key Change Notification ?

There is no way to set the Master Key in the password encryption statement.

This will break a programmatic configuration push by several different scripting tools, and provides nothing helpful to indicate how to get around it or why the error appears.

Brian S. Turner
CCIE 6145

hemmerling · ‎03-09-2020

Worse yet, in 16.9.5 (on 3650s) it looks like you can use "key config-key password-encrypt mypasswordhere" in a script, but it won't work, it won't error, it just won't work, and all keys it generates are still under the old scheme, it only seems to work from the CLI by hand. So to baseline a device, we have to run that command by hand, then we can push out the rest by script.

Even worse, it looks like RADIUS (802.1x/DOT1X) breaks if you do use "password encryption aes" and have FIPS enabled, oh you can have type 7 passwords and issue the command, but it will leave them type 7 and it will still work, but when you remove them and re-add them they will become type 6, and will no longer work. When I say they don't work, I mean requests don't even get sent to the RADIUS server anymore. I've packet captured the VLAN traffic from a switch upstream and there is nothing going to port 1812, 1813, 1645, and 1646 from the device with type 6 RADIUS passwords after the device switches to type 6 RADIUS passwords.

If I remove the "password encryption aes", command, remove the RADIUS server entry with the type 6 passwords and re-add it right back in the exact same way, they go in as type 7 again, and RADIUS works perfect again.

Randomly TACACS and SNMP continue to work fine with either type.