Tacacs+协议交互报文抓包示例

发表于 | 更新于 | 分类于 | 阅读次数: | 字数: 1,848 | 阅读时长: 9

其他文章:

tacacs+协议报文抓包示例

如果使用wireshark对tacacs+报文进行抓包,需要将tacacs+服务器的tac_plus服务监听端口设置为49,这是为tacacs+分配的默认端口,TCP 49。

此时,会将TCP 49端口的报解码为tacacs+报文。否则,看到的都是TCP交互报文。

实验拓扑:

本次实验在eve-ng仿真环境中进行测试,可测试H3C,华为,Arista,Cisco设备。

图中Linux运行CentOS7系统,安装了Tacacs+守护进程,监听192.168.147.135 TCP 49端口。

image-20201006194219331

图:实验拓扑

Tacacs+报文交互流程图:

tacacs

image-20201006182959017

图:tacacs+报文交互

注意:在wireshark中抓的tacacs+报文默认为加密报文,无法看到详细的报文内容,需要在wireshark中输入tacacs+密钥进行解密,从而可以查看报文内容。

操作步骤:选择tacacs+协议报文,右键选择Protocol Preferences, 选择,TACACS+Encryption Key

image-20201006183308456

输入Tacacs+服务器密钥即可解密报文。

image-20201006183736325

Authentication报文抓包示例:

认证请求报文:

如下图,当用户远程登陆交换机时,交换机会将用户名,密码都发给tacacs+服务器,进行认证请求。

image-20201006184018822

图:当发起认证后交换机发起的第一个认证报文

认证回应报文:

Tacacs+服务器收到交换机的认证请求报文后,如果账号密码都正确,则返回认证回应报文,里面表明认证通过。

如果账号或密码不正确,则返回认证失败报文。

image-20201006184139818

图:tacacs+服务器给交换机回应的认证通过报文

image-20201006190256703

图:认证失败报文

Authorization报文抓包示例:

授权请求报文:

在认证成功之后,交换机会发起授权请求报文,携带service类型,需要授权的命令。

image-20201006184313640

图:交换机发起的授权请求报文

授权回应报文:

Tacacs+服务器收到授权回应请求报文后,会根据配置文件进行回应授权情况,如:p riv-lvl=15。

image-20201006184438447

图:授权回应报文

Accounting报文抓包示例:

计费请求报文:

在认证和授权成功之后,交换机会发起计费请求报文。

image-20201006184544326

图:计费请求报文

计费回应报文:

image-20201006184616315

图:计费回应报文

输入dis ip inter bri 后的授权和计费过程抓包示例:

在认证成功之后,在交换机输入的每条命令都会进行如下四个报文交互流程。

授权请求报文:

在下图中可看到,当在交换机上输入dis ip inter bri后,交换机会向Tacacs+服务器发起授权请求报文,报文内的dis ip inter bri 会被交换机自动补全,并按空格进行分割,请求多个cmd value,从而发送个服务器进行授权请求。

在Tacacs+服务器上会根据配置文件的授权配置,匹配正则表达等进行判断是否授权。

image-20201006185829302

图:交换机命令的授权请求报文

授权回应报文:

image-20201006185840376

图:授权回应报文,授权通过

计费请求报文:

在命令被授权后,交换机如果配置了tacacs+计费,会发起计费请求报文,计费请求报文中会携带命令的相关信息,命令字符串,命令级,时区等。

image-20201006185853020

图:交换机发起的命令计费请求报文

计费回应报文:

image-20201006185903029

图:计费回应报文

Tacacs+服务超时自动端口连接报文抓包示例:

image-20201006185402438

图:tacacs+服务超时自动断开连接

image-20201006185454370

图:tacacs+计费会应报文

Tacacs+服务器认证,授权,计费日志示例

Access.log:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[root@localhost ~]# more /var/log/tac_plus/a
access/         accounting/     authentication/ authorization/  
[root@localhost ~]# more /var/log/tac_plus/access/access.log 
2020-10-06 15:47:43 +0800       192.168.147.134 tacacsuser      GigabitEthernet1/0      192.168.147.1   ascii lo
gin succeeded
2020-10-06 16:01:36 +0800       192.168.147.134 tacacsuser      GigabitEthernet1/0      192.168.147.1   ascii lo
gin succeeded
2020-10-06 16:07:37 +0800       192.168.147.134 tacacsuser      GigabitEthernet1/0      192.168.147.1   ascii lo
gin succeeded
2020-10-06 16:13:43 +0800       192.168.147.134 tacacsuser      GigabitEthernet1/0      192.168.147.1   ascii lo
gin succeeded
2020-10-06 17:59:12 +0800       192.168.147.134 tacacsuser      GigabitEthernet1/0      192.168.147.1   ascii lo
gin succeeded
2020-10-06 17:59:22 +0800       192.168.147.134 user    GigabitEthernet1/0      192.168.147.1   ascii login fail
ed (no such user)
2020-10-06 17:59:22 +0800       192.168.147.134 user    GigabitEthernet1/0      192.168.147.1   shell login fail
ed (no such user)
2020-10-06 17:59:22 +0800       192.168.147.134 user    GigabitEthernet1/0      192.168.147.1   shell login fail
ed (no such user)

authentication.log 认证日志示例:

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@localhost ~]# more /var/log/tac_plus/authentication/authentication.log 
2020-10-06 15:47:43 +0800       192.168.147.134 tacacsuser      GigabitEthernet1/0      192.168.147.1   ascii lo
gin succeeded
2020-10-06 16:01:36 +0800       192.168.147.134 tacacsuser      GigabitEthernet1/0      192.168.147.1   ascii lo
gin succeeded
2020-10-06 16:07:37 +0800       192.168.147.134 tacacsuser      GigabitEthernet1/0      192.168.147.1   ascii lo
gin succeeded
2020-10-06 16:13:43 +0800       192.168.147.134 tacacsuser      GigabitEthernet1/0      192.168.147.1   ascii lo
gin succeeded
2020-10-06 17:59:12 +0800       192.168.147.134 tacacsuser      GigabitEthernet1/0      192.168.147.1   ascii lo
gin succeeded
2020-10-06 17:59:22 +0800       192.168.147.134 user    GigabitEthernet1/0      192.168.147.1   ascii login fail
ed (no such user)

authorization.log 授权日志示例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@localhost ~]# more /var/log/tac_plus/authorization/authorization.log 
2020-10-06 15:47:48 +0800       192.168.147.134 tacacsuser      vty0            permit  system-view     <cr>
2020-10-06 16:01:45 +0800       192.168.147.134 tacacsuser      vty0            permit  display ip interface bri
ef <cr>
2020-10-06 16:06:34 +0800       192.168.147.134 tacacsuser      vty0            permit  system-view     <cr>
2020-10-06 16:06:35 +0800       192.168.147.134 tacacsuser      vty0            permit  display this <cr>
2020-10-06 16:06:37 +0800       192.168.147.134 tacacsuser      vty0            permit  display current-configur
ation <cr>
2020-10-06 16:07:19 +0800       192.168.147.134 tacacsuser      vty0            permit  hwtacacs        scheme c
as <cr>
2020-10-06 16:07:20 +0800       192.168.147.134 tacacsuser      vty0            permit  primary authentication 1
92.168.147.135 49 single-connection key simple ****** <cr>
2020-10-06 16:07:20 +0800       192.168.147.134 tacacsuser      vty0            permit  primary authorization 19
2020-10-06 16:09:15 +0800       192.168.147.134 tacacsuser      vty0            permit  display ip interface bri

accounting.log 计费日志示例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@localhost ~]# more /var/log/tac_plus/accounting/accounting.log 
2020-10-06 15:47:43 +0800       192.168.147.134 tacacsuser      vty0    192.168.147.1   start   task_id=0
timezone=0      service=shell
2020-10-06 15:47:48 +0800       192.168.147.134 tacacsuser      vty0            stop    task_id=0       timezone
=0      service=shell   priv-lvl=15     cmd=system-view
2020-10-06 15:49:39 +0800       192.168.147.134 tacacsuser      vty0            stop    task_id=0       timezone
2020-10-06 18:27:23 +0800       192.168.147.134 user1   vty0    192.168.147.1   start   task_id=0       timezone
=0      service=shell
2020-10-06 18:27:24 +0800       192.168.147.134 user1   vty0            stop    task_id=0       timezone=0
service=shell   priv-lvl=15     cmd=system-view
2020-10-06 18:27:27 +0800       192.168.147.134 user1   vty0            stop    task_id=0       timezone=0
service=shell   priv-lvl=15     cmd=display ip interface brief
2020-10-06 18:37:28 +0800       192.168.147.134 user1   vty0    192.168.147.1   stop    task_id=0       timezone
=0      service=shell   disc_cause=0    disc_cause_ext=0        bytes_in=0      bytes_out=0     paks_in=0
paks_out=0      elapsed_time=605

其他文章:

坚持原创技术分享,您的支持将鼓励我继续创作!