On the NetProfiler / Flow Gateway -> Configuration -> Account Management -> Remote Authentication. Select TACACS+ tab:
Use the Configured Server test “button”. If this fails perform the following:
test that the configured server is reachable; ping it from the CLI
Assure TACACS port is open (usually port 49).
On the profiler:
tcpdump -nn -i primary port 49 ( or configured TACACS port )
Verify traffic is seen to/from the TACACS server when test in configured server is clicked.
If basic connection passes, attempt authentication and authorization using the “test user“ button and do the following:
At the NetProfiler CLI collect a tcpdump capture file:
tcpdump -s0 -w tacacs.pcap -nn -i primary port 49 ( or configured TACACS port )
Wireshark is used verify verify traffic between the profiler and the TACACS server
Verify with the customer that the shared secret is correct; If possible obtain the shared secret key for use in wireshark to verify responses.
In wireshark preferences, under protocols locate TACACS+. Select the reassemble option and put the shared secret into TACACS+ encryption key.
If the key is NOT correct you will observe “Malformed Packet”.
If the shared secret is correct, in the TACACS+ packets, you will observe an encrypted request and decrypted request and the decrypted request will look
similar to the following. Packets 1 and 2 are a successful user authentication. Packets 3 and 4 are are a successful authorization.
In packet 3 an important thing to note are the lines with “service=rbt2-exec”, “local-user-name” and “acl”. The service is set in the profiler Configured
Servers→”settings…” button and must match the service setting for the groups in the TACACS server. Local-user-name and acl are attributes of TACACS
groups in the TACACS server. The values for these attributes must match the profiler settings.
1.) TACACS+
Major version: TACACS+
Minor version: 1
Type: Authentication (1)
Sequence number: 1
Flags: 0x00 (Encrypted payload, Multiple Connections)
Session ID: 2888171520
Packet length: 48
Encrypted Request
Decrypted Request
Action: Inbound Login (1)
Privilege Level: 0
Authentication type: PAP (2)
Service: TAC_PLUS_AUTHEN_SVC_NONE (0)
User len: 8
User: TESTUSER
Port len: 0
Remaddr len: 20
Remote Address: cascade-express-VE-2
Password Length: 12
Password: XXXXXXX
2.) TACACS+
Major version: TACACS+
Minor version: 1
Type: Authentication (1)
Sequence number: 2
Flags: 0x00 (Encrypted payload, Multiple Connections)
Session ID: 2888171520
Packet length: 6
Encrypted Reply
Decrypted Reply
Status: Authentication Passed (0x01)
Flags: 0x00
Server message length: 0
Data length: 0
3.) TACACS+
Major version: TACACS+
Minor version: 0
Type: Authorization (2)
Sequence number: 1
Flags: 0x00 (Encrypted payload, Multiple Connections)
Session ID: 9900
Packet length: 76
Encrypted Request
Decrypted Request
Auth Method: TACACSPLUS (0x06)
Privilege Level: 0
Authentication type: Unknown (255)
Service: Login (1)
User len: 8
User: TESTUSER
Port len: 0
Remaddr len: 20
Remote Address: cascade-express-VE-2
Arg count: 3
Arg[0] length: 17
Arg[0] value: service=rbt2-exec
Arg[1] length: 16
Arg[1] value: local-user-name*
Arg[2] length: 4
Arg[2] value: acl*
4.) TACACS+
Major version: TACACS+
Minor version: 0
Type: Authorization (2)
Sequence number: 2
Flags: 0x00 (Encrypted payload, Multiple Connections)
Session ID: 9900
Packet length: 86
Encrypted Reply
Decrypted Reply
Auth Status: PASS_REPL (0x02)
Server Msg length: 0
Data length: 0
Arg count: 4
Arg[0] length: 17
Arg[0] value: service=rbt2-exec
Arg[1] length: 29
Arg[1] value: local-user-name=Administrator
Arg[2] length: 6
Arg[2] value: acl=15
Arg[3] length: 24
Arg[3] value: srv-level=Administrators