Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2471
Views
2
Helpful
8
Replies

C1000 not allowing password encryption for TACACS Configuration

TJ-20933766
Spotlight
Spotlight

‎06-21-2023 05:42 PM

In IOS-XE, there is a command that allows you to encrypt the TACACS+ and RADIUS keys to Type 6 so you don't get the annoying alert about using deprecated password types. When I worked on a C1000 today (which is not using IOS-XE), I did not see the commands to allow for entering the encryption key:

Switch(config)# password encryption aes
Switch(config)# key config-key password-encrypt

Is there some other way of encrypting the TACACS/RADIUS passwords on the C1000?

Model: Catalyst 1000-24P-4G-L
Firmware: 15.2.7E6(MD) - released 29-Sep-2022

3 people had this problem
Labels:
0 Helpful
8 Replies 8

Cisco_Virtual_Engineer
Level 3
Level 3

‎06-28-2023 08:17 AM

In the context provided, you can use the command "key [0 | 6 | 7] string" to specify the shared secret type and string used between the device and the RADIUS server. Key 0, 6, and 7 indicate cleartext password, type 6 encryption, and type 7 encryption respectively. If the key is configured as type 7 then a valid type 7 encrypted string should also be configured. Similarly, a valid type 6 encrypted string should follow key type 6. The commands you mentioned are not discussed in this context, but the "key" command should allow you to encrypt your TACACS and RADIUS passwords.

Here is an example of how you might use the command:


Device(config-radius-server)# key 6 cisco123


This sets the encryption type to 6 and uses "cisco123" as the shared secret between the device and the RADIUS server.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful

TJ-20933766
Spotlight
Spotlight
In response to Cisco_Virtual_Engineer

‎06-28-2023 05:20 PM

That is not how that command works. When you specify the number 6 after the word "key", you must enter a password that is already encrypted using the type 6 encryption.

C3560-CX-CORE(config-radius-server)#key ?
  0     Specifies an UNENCRYPTED key will follow
  6     Specifies ENCRYPTED key will follow
  7     Specifies HIDDEN key will follow
  LINE  The UNCRYPTED (cleartext) shared key

If you try to enter "cisco123" as you have in your example, you will get an error:

C3560-CX-CORE(config-radius-server)#key 6 cisco123
Invalid type-6 encrypted password: cisco123
% Invalid encrypted key: cisco123

 It appears that you have to encrypt the password on a device that does allow you to encrypt the passwords and then paste the result into the C1000 config. It's a shame that this model doesn't allow you to do it natively "on the box"

MHM Cisco World
VIP
VIP
In response to TJ-20933766

‎06-28-2023 05:26 PM

You are totally right' I already run lab to check this case I will update you when find solution.

Thanks

MHM

0 Helpful

Romel
Level 1
Level 1

‎02-01-2024 03:34 AM

Has anyone found a solution to this issue? I am struggeling with the same problem.

0 Helpful

TJ-20933766
Spotlight
Spotlight

‎02-01-2024 06:52 AM

Romel, hopefully you have higher end switches available. The only solution I see is to:

  1. Run the commands from my initial post on something like a Catalyst 9300 switch (possibly any switch running IOS-XE)
  2. Type the RADIUS or TACAC+ configuration into the C9300 which will automatically turn the password into a type 6 (because of the commands you typed from step 1)
  3. Copy & paste the type 6 RADIUS/TACACS+ password  from the C9300's running configuration into the C1000

Disclaimer: I have not tried this as I don't have the hardware available to me at this time to test this thoroughly but anyone else that can test this, I would love to get your feedback as to if this works.

0 Helpful

IHR
Level 1
Level 1
In response to TJ-20933766

‎02-16-2024 02:18 AM

Hello,

I tried that approach and it doesn't work. It throws an error stating the encrypted key is not valid.

I assume that, since you haven't defined the passphrase to create such encryption, the system is not able to understand the encrypted password. If there's a hardcoded passphrase that encrypts type 6, this approach might work if we used that key.

BR,

0 Helpful

wkamil123
Level 1
Level 1

‎02-21-2024 10:11 AM

Hello,

The command password encryption aes is not available on C1000 platform because the symmetric AES keys are not supported.

The device supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit key, 192-bit key, or 256-bit key. However, symmetric cipher AES to encrypt the keys is not supported.

I have the same issue with that log message

"WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type"

Regards  Kamil

Casey B
Level 1
Level 1

‎05-27-2024 07:19 PM

Hi, as long as you have "password encryption aes" configured , when you configure your tacacs key, you can use key 0 or 7, and it should be updated by the router with key 6 as long as AES is working ( you need to also set the encryption key that the router will use to encrypt your clear txt passwords with, key config-key password encrypt <password>)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card