TACACS Troubleshooting - SteelCentral NetProfiler / Flow Gateway

On the NetProfiler / Flow Gateway -> Configuration ->  Account Management -> Remote Authentication.  Select TACACS+ tab:

Use the Configured Server test “button”. If this fails perform the following:

test that the configured server is reachable; ping it from the CLI

Assure TACACS port is open (usually port 49).

On the profiler:

tcpdump -nn -i primary port 49 ( or configured TACACS port )

Verify traffic is seen to/from the TACACS server when test in configured server is clicked.

If basic connection passes, attempt authentication and authorization using the “test user“ button and do the following:

At the NetProfiler CLI collect a tcpdump capture file:

tcpdump -s0 -w tacacs.pcap -nn -i primary port 49 ( or configured TACACS port )

Wireshark is used verify verify traffic between the profiler and the TACACS server

Verify with the customer that the shared secret is correct; If possible obtain the shared secret key for use in wireshark to verify responses.

In wireshark preferences, under protocols locate TACACS+. Select the reassemble option and put the shared secret into TACACS+ encryption key.

If the key is NOT correct you will observe “Malformed Packet”.

If the shared secret is correct, in the TACACS+ packets, you will observe an encrypted request and decrypted request and the decrypted request will look

similar to the following. Packets 1 and 2 are a successful user authentication. Packets 3 and 4 are are a successful authorization.

In packet 3 an important thing to note are the lines with “service=rbt2-exec”, “local-user-name” and “acl”. The service is set in the profiler Configured

Servers→”settings…” button and must match the service setting for the groups in the TACACS server. Local-user-name and acl are attributes of TACACS

groups in the TACACS server. The values for these attributes must match the profiler settings.

1.) TACACS+

Major version: TACACS+

Minor version: 1

Type: Authentication (1)

Sequence number: 1

Flags: 0x00 (Encrypted payload, Multiple Connections)

Session ID: 2888171520

Packet length: 48

Encrypted Request

Decrypted Request

Action: Inbound Login (1)

Privilege Level: 0

Authentication type: PAP (2)

Service: TAC_PLUS_AUTHEN_SVC_NONE (0)

User len: 8

User: TESTUSER

Port len: 0

Remaddr len: 20

Remote Address: cascade-express-VE-2

Password Length: 12

Password: XXXXXXX

2.) TACACS+

Major version: TACACS+

Minor version: 1

Type: Authentication (1)

Sequence number: 2

Flags: 0x00 (Encrypted payload, Multiple Connections)

Session ID: 2888171520

Packet length: 6

Encrypted Reply

Decrypted Reply

Status: Authentication Passed (0x01)

Flags: 0x00

Server message length: 0

Data length: 0

3.) TACACS+

Major version: TACACS+

Minor version: 0

Type: Authorization (2)

Sequence number: 1

Flags: 0x00 (Encrypted payload, Multiple Connections)

Session ID: 9900

Packet length: 76

Encrypted Request

Decrypted Request

Auth Method: TACACSPLUS (0x06)

Privilege Level: 0

Authentication type: Unknown (255)

Service: Login (1)

User len: 8

User: TESTUSER

Port len: 0

Remaddr len: 20

Remote Address: cascade-express-VE-2

Arg count: 3

Arg[0] length: 17

Arg[0] value: service=rbt2-exec

Arg[1] length: 16

Arg[1] value: local-user-name*

Arg[2] length: 4

Arg[2] value: acl*

4.) TACACS+

Major version: TACACS+

Minor version: 0

Type: Authorization (2)

Sequence number: 2

Flags: 0x00 (Encrypted payload, Multiple Connections)

Session ID: 9900

Packet length: 86

Encrypted Reply

Decrypted Reply

Auth Status: PASS_REPL (0x02)

Server Msg length: 0

Data length: 0

Arg count: 4

Arg[0] length: 17

Arg[0] value: service=rbt2-exec

Arg[1] length: 29

Arg[1] value: local-user-name=Administrator

Arg[2] length: 6

Arg[2] value: acl=15

Arg[3] length: 24

Arg[3] value: srv-level=Administrators