Tacacs+协议交互报文抓包示例
source link: https://cshihong.github.io/2020/10/06/Tacacs-%E5%8D%8F%E8%AE%AE%E4%BA%A4%E4%BA%92%E6%8A%A5%E6%96%87%E6%8A%93%E5%8C%85%E7%A4%BA%E4%BE%8B/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
其他文章:
tacacs+协议报文抓包示例
如果使用wireshark对tacacs+报文进行抓包,需要将tacacs+服务器的tac_plus服务监听端口设置为49,这是为tacacs+分配的默认端口,TCP 49。
此时,会将TCP 49端口的报解码为tacacs+报文。否则,看到的都是TCP交互报文。
实验拓扑:
本次实验在eve-ng仿真环境中进行测试,可测试H3C,华为,Arista,Cisco设备。
图中Linux运行CentOS7系统,安装了Tacacs+守护进程,监听192.168.147.135 TCP 49端口。
图:实验拓扑
Tacacs+报文交互流程图:
图:tacacs+报文交互
注意:在wireshark中抓的tacacs+报文默认为加密报文,无法看到详细的报文内容,需要在wireshark中输入tacacs+密钥进行解密,从而可以查看报文内容。
操作步骤:选择tacacs+协议报文,右键选择Protocol Preferences, 选择,TACACS+Encryption Key
输入Tacacs+服务器密钥即可解密报文。
Authentication报文抓包示例:
认证请求报文:
如下图,当用户远程登陆交换机时,交换机会将用户名,密码都发给tacacs+服务器,进行认证请求。
图:当发起认证后交换机发起的第一个认证报文
认证回应报文:
Tacacs+服务器收到交换机的认证请求报文后,如果账号密码都正确,则返回认证回应报文,里面表明认证通过。
如果账号或密码不正确,则返回认证失败报文。
图:tacacs+服务器给交换机回应的认证通过报文
图:认证失败报文
Authorization报文抓包示例:
授权请求报文:
在认证成功之后,交换机会发起授权请求报文,携带service类型,需要授权的命令。
图:交换机发起的授权请求报文
授权回应报文:
Tacacs+服务器收到授权回应请求报文后,会根据配置文件进行回应授权情况,如:p riv-lvl=15。
图:授权回应报文
Accounting报文抓包示例:
计费请求报文:
在认证和授权成功之后,交换机会发起计费请求报文。
图:计费请求报文
计费回应报文:
图:计费回应报文
输入dis ip inter bri 后的授权和计费过程抓包示例:
在认证成功之后,在交换机输入的每条命令都会进行如下四个报文交互流程。
授权请求报文:
在下图中可看到,当在交换机上输入dis ip inter bri后,交换机会向Tacacs+服务器发起授权请求报文,报文内的dis ip inter bri 会被交换机自动补全,并按空格进行分割,请求多个cmd value,从而发送个服务器进行授权请求。
在Tacacs+服务器上会根据配置文件的授权配置,匹配正则表达等进行判断是否授权。
图:交换机命令的授权请求报文
授权回应报文:
图:授权回应报文,授权通过
计费请求报文:
在命令被授权后,交换机如果配置了tacacs+计费,会发起计费请求报文,计费请求报文中会携带命令的相关信息,命令字符串,命令级,时区等。
图:交换机发起的命令计费请求报文
计费回应报文:
图:计费回应报文
Tacacs+服务超时自动端口连接报文抓包示例:
图:tacacs+服务超时自动断开连接
图:tacacs+计费会应报文
Tacacs+服务器认证,授权,计费日志示例
Access.log:
[root@localhost ~]# more /var/log/tac_plus/a
access/ accounting/ authentication/ authorization/
[root@localhost ~]# more /var/log/tac_plus/access/access.log
2020-10-06 15:47:43 +0800 192.168.147.134 tacacsuser GigabitEthernet1/0 192.168.147.1 ascii lo
gin succeeded
2020-10-06 16:01:36 +0800 192.168.147.134 tacacsuser GigabitEthernet1/0 192.168.147.1 ascii lo
gin succeeded
2020-10-06 16:07:37 +0800 192.168.147.134 tacacsuser GigabitEthernet1/0 192.168.147.1 ascii lo
gin succeeded
2020-10-06 16:13:43 +0800 192.168.147.134 tacacsuser GigabitEthernet1/0 192.168.147.1 ascii lo
gin succeeded
2020-10-06 17:59:12 +0800 192.168.147.134 tacacsuser GigabitEthernet1/0 192.168.147.1 ascii lo
gin succeeded
2020-10-06 17:59:22 +0800 192.168.147.134 user GigabitEthernet1/0 192.168.147.1 ascii login fail
ed (no such user)
2020-10-06 17:59:22 +0800 192.168.147.134 user GigabitEthernet1/0 192.168.147.1 shell login fail
ed (no such user)
2020-10-06 17:59:22 +0800 192.168.147.134 user GigabitEthernet1/0 192.168.147.1 shell login fail
ed (no such user)
authentication.log 认证日志示例:
[root@localhost ~]# more /var/log/tac_plus/authentication/authentication.log
2020-10-06 15:47:43 +0800 192.168.147.134 tacacsuser GigabitEthernet1/0 192.168.147.1 ascii lo
gin succeeded
2020-10-06 16:01:36 +0800 192.168.147.134 tacacsuser GigabitEthernet1/0 192.168.147.1 ascii lo
gin succeeded
2020-10-06 16:07:37 +0800 192.168.147.134 tacacsuser GigabitEthernet1/0 192.168.147.1 ascii lo
gin succeeded
2020-10-06 16:13:43 +0800 192.168.147.134 tacacsuser GigabitEthernet1/0 192.168.147.1 ascii lo
gin succeeded
2020-10-06 17:59:12 +0800 192.168.147.134 tacacsuser GigabitEthernet1/0 192.168.147.1 ascii lo
gin succeeded
2020-10-06 17:59:22 +0800 192.168.147.134 user GigabitEthernet1/0 192.168.147.1 ascii login fail
ed (no such user)
authorization.log 授权日志示例:
[root@localhost ~]# more /var/log/tac_plus/authorization/authorization.log
2020-10-06 15:47:48 +0800 192.168.147.134 tacacsuser vty0 permit system-view <cr>
2020-10-06 16:01:45 +0800 192.168.147.134 tacacsuser vty0 permit display ip interface bri
ef <cr>
2020-10-06 16:06:34 +0800 192.168.147.134 tacacsuser vty0 permit system-view <cr>
2020-10-06 16:06:35 +0800 192.168.147.134 tacacsuser vty0 permit display this <cr>
2020-10-06 16:06:37 +0800 192.168.147.134 tacacsuser vty0 permit display current-configur
ation <cr>
2020-10-06 16:07:19 +0800 192.168.147.134 tacacsuser vty0 permit hwtacacs scheme c
as <cr>
2020-10-06 16:07:20 +0800 192.168.147.134 tacacsuser vty0 permit primary authentication 1
92.168.147.135 49 single-connection key simple ****** <cr>
2020-10-06 16:07:20 +0800 192.168.147.134 tacacsuser vty0 permit primary authorization 19
2020-10-06 16:09:15 +0800 192.168.147.134 tacacsuser vty0 permit display ip interface bri
accounting.log 计费日志示例:
[root@localhost ~]# more /var/log/tac_plus/accounting/accounting.log
2020-10-06 15:47:43 +0800 192.168.147.134 tacacsuser vty0 192.168.147.1 start task_id=0
timezone=0 service=shell
2020-10-06 15:47:48 +0800 192.168.147.134 tacacsuser vty0 stop task_id=0 timezone
=0 service=shell priv-lvl=15 cmd=system-view
2020-10-06 15:49:39 +0800 192.168.147.134 tacacsuser vty0 stop task_id=0 timezone
2020-10-06 18:27:23 +0800 192.168.147.134 user1 vty0 192.168.147.1 start task_id=0 timezone
=0 service=shell
2020-10-06 18:27:24 +0800 192.168.147.134 user1 vty0 stop task_id=0 timezone=0
service=shell priv-lvl=15 cmd=system-view
2020-10-06 18:27:27 +0800 192.168.147.134 user1 vty0 stop task_id=0 timezone=0
service=shell priv-lvl=15 cmd=display ip interface brief
2020-10-06 18:37:28 +0800 192.168.147.134 user1 vty0 192.168.147.1 stop task_id=0 timezone
=0 service=shell disc_cause=0 disc_cause_ext=0 bytes_in=0 bytes_out=0 paks_in=0
paks_out=0 elapsed_time=605
其他文章:
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK