TACACS Troubleshooting - NetShark
Issue
Solution
test that the configured server is reachable; ping it.
Assure TACACS port is open (usually port 49).
On the NetShark:
tcpdump -nn -i primary port 49 ( or configured TACACS port )
Verify traffic is seen to/from the TACACS server on attempting login from the WebUI
If basic connection passes, attempt authentication and authorization using the “test user“ button and do the following:
On the NetShark collect tcpdump capture file:
tcpdump -s0 -w tacacs.pcap -nn -i primary port 49 ( or configured TACACS port )
Wireshark is used verify verify traffic between the NetShark and the TACACS server
Verify with the customer that the shared secret is correct; If possible obtain the shared secret key for use in wireshark to verify responses.
In wireshark preferences, under protocols locate TACACS+. Select the reassemble option and put the shared secret into TACACS+ encryption key.
If the key is NOT correct you will observe “Malformed Packet”.
If the shared secret is correct, in the TACACS+ packets, you will observe an encrypted request and decrypted request and the decrypted request will look
similar to the following. Packets 1 contains the userid and other parameters a TACACS server might use. Packet 3 contains the login user password in the
“User” attribute. Packet 4 shows a successful login response from the TACACS server, completing the authentication portion of the TACACS
authentication/authorization transaction
Packet 5 sends the user name (TESTUSER), and attribute/value pair “service=rbt2-exec”. The attribute/value pair is hard coded in the shark, unlike the
profiler where the value may be set.
Packet 6 shows the TACACS server response containing the attribute/value pair of “srv-level=Administrators”.
Srv-level may contain ONLY be one of: Administrators, NormalUsers, tester, or Viewers. These are hard coded values found on the users/groups
configuration page.
1.) TACACS+
Major version: TACACS+
Minor version: 0
Type: Authentication (1)
Sequence number: 1
Flags: 0x00 (Encrypted payload, Multiple Connections)
Session ID: 1739276208
Packet length: 36
Encrypted Request
Decrypted Request
Action: Inbound Login (1)
Privilege Level: 0
Authentication type: ASCII (1)
Service: Login (1)
User len: 8
User: TESTUSER
Port len: 5
Port: ttyp6
Remaddr len: 7
Remote Address: unknown
ASCII Data Length: 8
Data: 3173746861746d6f
2.) TACACS+
Major version: TACACS+
Minor version: 0
Type: Authentication (1)
Sequence number: 2
Flags: 0x00 (Encrypted payload, Multiple Connections)
Session ID: 1739276208
Packet length: 16
Encrypted Reply
Decrypted Reply
Status: Send Password (0x05)
Flags: 0x01(NoEcho)
Server message length: 10
Server message: Password:
Data length: 0
3.) TACACS+
Major version: TACACS+
Minor version: 0
Type: Authentication (1)
Sequence number: 3
Flags: 0x00 (Encrypted payload, Multiple Connections)
Session ID: 1739276208
Packet length: 13
Encrypted Request
Decrypted Request
Flags: 0x00
User length: 8
User: XXXXXXXX
Data length: 0
4.) TACACS+
Major version: TACACS+
Minor version: 0
Type: Authentication (1)
Sequence number: 4
Flags: 0x00 (Encrypted payload, Multiple Connections)
Session ID: 1739276208
Packet length: 6
Encrypted Reply
Decrypted Reply
Status: Authentication Passed (0x01)
Flags: 0x00
Server message length: 0
Data length: 0
5.) TACACS+
Major version: TACACS+
Minor version: 0
Type: Authorization (2)
Sequence number: 1
Flags: 0x00 (Encrypted payload, Multiple Connections)
Session ID: 3348196824
Packet length: 46
Encrypted Request
Decrypted Request
Auth Method: TACACSPLUS (0x06)
Privilege Level: 0
Authentication type: ASCII (1)
Service: Login (1)
User len: 8
User: TESTUSER
Port len: 5
Port: ttyp6
Remaddr len: 7
Remote Address: unknown
Arg count: 1
Arg[0] length: 17
Arg[0] value: service=rbt2-exec
6.) TACACS+
Major version: TACACS+
Minor version: 0
Type: Authorization (2)
Sequence number: 2
Flags: 0x00 (Encrypted payload, Multiple Connections)
Session ID: 3348196824
Packet length: 61
Encrypted Reply
Decrypted Reply
Auth Status: PASS_ADD (0x01)
Server Msg length: 0
Data length: 0
Arg count: 2
Arg[0] length: 24
Arg[0] value: srv-level=Administrators
Arg[1] length: 29
Arg[1] value: local-user-name=Administrator
Related Bugs
Attachments
