I had a chance to recently configure four 9ks with TACACS and I found that setting up the key was interesting. I could use type 0 or 7 ( encrypted/unencrypted ) keys.. but the resulting type 7 key didnt look like the normal type 7 encryption. And it didnt decrypt using the normal type 7 tools.
This
tacacs-server key 0 @rb0nn3infra
Gets us this in the config
tacacs-server key 7 "@nf0fn3nfibf"
A "Cut and paste" of the same key from a different device as a type 7 did not work with TACACS.. came back as a bad match for the key.
Cut and paste of valid type 7 key that looks normal and decrypts
tacacs-server key 7 "052B140D7142405A100B11000A"
Even though the new type 7 key looks wrong, it works with ACS so I'm assuming Cisco "fixed" the issue of easily decrypting the type 7 passcodes/keys
Anyone else run into this "feature" yet?
MikeS
This
tacacs-server key 0 @rb0nn3infra
Gets us this in the config
tacacs-server key 7 "@nf0fn3nfibf"
A "Cut and paste" of the same key from a different device as a type 7 did not work with TACACS.. came back as a bad match for the key.
Cut and paste of valid type 7 key that looks normal and decrypts
tacacs-server key 7 "052B140D7142405A100B11000A"
Even though the new type 7 key looks wrong, it works with ACS so I'm assuming Cisco "fixed" the issue of easily decrypting the type 7 passcodes/keys
Anyone else run into this "feature" yet?
MikeS
