Anyone have an example Cisco TACACS Acct PCAP?

Steinhagen, Tom tsteinhagen at landstar.com
Fri Feb 24 20:35:37 UTC 2023


This is a TACACS accounting packet from a Cisco C9300 switch.  I can generate more if you need, and from other Cisco platforms.

Frame 17: 209 bytes on wire (1672 bits), 209 bytes captured (1672 bits)
Ethernet II, Src: Cisco_62:8d:7f (<MAC>), Dst: VMware_87:b0:62 (<MAC>)
Internet Protocol Version 4, Src: <sourceip>, Dst: <destip>
Transmission Control Protocol, Src Port: 31240, Dst Port: 49, Seq: 1, Ack: 1, Len: 155
    Source Port: 31240
    Destination Port: 49
    [Stream index: 1]
    [Conversation completeness: Complete, WITH_DATA (31)]
    [TCP Segment Len: 155]
    Sequence Number: 1    (relative sequence number)
    Sequence Number (raw): 308189371
    [Next Sequence Number: 156    (relative sequence number)]
    Acknowledgment Number: 1    (relative ack number)
    Acknowledgment number (raw): 1651975034
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x010 (ACK)
    Window: 4128
    [Calculated window size: 4128]
    [Window size scaling factor: -2 (no window scaling used)]
    Checksum: 0xa436 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
    [SEQ/ACK analysis]
    TCP payload (155 bytes)
    [PDU Size: 155]
TACACS+
    Major version: TACACS+
    Minor version: 0
    Type: Accounting (3)
    Sequence number: 1
    Flags: 0x00 (Encrypted payload, Multiple Connections)
        .... ...0 = Unencrypted: Not set
        .... .0.. = Single Connection: Not set
    Session ID: 2056706078
    Packet length: 143
    Encrypted Request
    Decrypted Request
        Flags: 0x04
        Auth Method: TACACSPLUS (0x06)
        Privilege Level: 15
        Authentication type: ASCII (1)
        Service: Login (1)
        User len: 14
        User: <user>
        Port len: 4
        Port: tty1
        Remaddr len: 13
        Remote Address: <AAA_SERVER_IP>
        Arg count: 6
        Arg[0] length: 12
        Arg[0] value: task_id=4180
        Arg[1] length: 12
        Arg[1] value: timezone=EST
        Arg[2] length: 13
        Arg[2] value: service=shell
        Arg[3] length: 21
        Arg[3] value: start_time=1677269899
        Arg[4] length: 11
        Arg[4] value: priv-lvl=15
        Arg[5] length: 28
        Arg[5] value: cmd=show running-config <cr>

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+tsteinhagen=landstar.com at lists.freeradius.org> On Behalf Of Arran Cudbard-Bell via Freeradius-Users
Sent: Friday, February 24, 2023 10:30 AM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: Arran Cudbard-Bell <a.cudbardb at freeradius.org>
Subject: Anyone have an example Cisco TACACS Acct PCAP?

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


We (The FreeRADIUS development team) are fixing up the TACACS frontend and process modules in v4.0.x.

The example packets we're working with for TACACS accounting have timestamps in the format "2023-02-22 18:37:36 EST".

RFC 8907 states timestamps should be seconds since the unix epoch.

We're wondering how many TACACS clients out there actually follow the RFC and how many use their own weird and wonderful formats.

We'd appreciate any PCAPs (or screen grabs of PCAPs) which show the format their TACACS clients uses for dates.

Thanks,
-Arran



More information about the Freeradius-Users mailing list