02-22-2018 01:23 AM
Background:
My customer has raised a question based on a vulnerability raised by their security team on TACACS+. The actual audit point was that there is “no integrity checking available and the use of MD5 encryption”
The security team have also referenced - https://supportforums.cisco.com/t5/aaa-identity-and-nac/how-to-secure-tacacs-authentication/td-p/2735412 and there are some very good points made here.
Has anyone else within the ISE community see this before?
Is this the recommendation https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210519-Configure-ISE-2-2-IPSEC-to-Secure-NAD-I.html
Thanks..
Solved! Go to Solution.
02-22-2018 11:35 PM
ACS is end of life.
I would suggest upgrading to ISE 2.X and redoing this test.
in any case I will forward this observation to the right team to see if anyone is aware of this .
Thanks,
Nidhi
02-22-2018 11:35 PM
ACS is end of life.
I would suggest upgrading to ISE 2.X and redoing this test.
in any case I will forward this observation to the right team to see if anyone is aware of this .
Thanks,
Nidhi
02-23-2018 10:26 PM
Yes, you are correct that customers may consider IPSec to secure the control-plane communications, in case not already protected by another means.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: