cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
526
Views
0
Helpful
2
Replies

Audit Point picks up Tacacs+ Vulnerability

iagyte
Cisco Employee
Cisco Employee

Background:

My customer has raised a question based on a vulnerability raised by their security team on TACACS+.  The actual audit point was that there is “no integrity checking available and the use of MD5 encryption

 

  1. This issue was this raised as part of a security audit
  2. Question relates to using ACS with TACACS+ feature
  3. Software version is based on ACS 5.4

The security team have also referenced - https://supportforums.cisco.com/t5/aaa-identity-and-nac/how-to-secure-tacacs-authentication/td-p/2735412 and there are some very good points made here.

Has anyone else within the ISE community see this before?

Is this the recommendation https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210519-Configure-ISE-2-2-IPSEC-to-Secure-NAD-I.html

Thanks..

1 Accepted Solution

Accepted Solutions

Nidhi
Cisco Employee
Cisco Employee

ACS is end of life.

I would suggest upgrading to ISE 2.X and redoing this test.

in any case I will forward this observation to the right team to see if anyone is aware of this .

Thanks,

Nidhi

View solution in original post

2 Replies 2

Nidhi
Cisco Employee
Cisco Employee

ACS is end of life.

I would suggest upgrading to ISE 2.X and redoing this test.

in any case I will forward this observation to the right team to see if anyone is aware of this .

Thanks,

Nidhi

hslai
Cisco Employee
Cisco Employee

Yes, you are correct that customers may consider IPSec to secure the control-plane communications, in case not already protected by another means.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: