[tac_plus] md5 and tac_plus

Mitch Raful (ITaaS) mitch.raful at dimensiondata.com
Thu Mar 16 18:54:38 UTC 2017


Ok, then, here’s what I don’t’ get.  I can decrypt the encrypted message the server sends me back.  Doesn’t that mean the keys match?  If I change, say the “client’s”  key, the error response stays unreadable.

Mitch

Mitch Raful
Sr. Network Engineer
Dimension Data Cloud Business Unit
43490 Yukon Drive
Ashburn, VA 21047
Office: 703-724-8862
Cell:     804-363-0731


From: Alan McKinnon <alan.mckinnon at gmail.com>
Date: Thursday, March 16, 2017 at 12:11 PM
To: "Mitch Raful (ITaaS)" <mitch.raful at itaas.dimensiondata.com>, "tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
Subject: Re: [tac_plus] md5 and tac_plus

On 16/03/2017 05:36, Mitch Raful (ITaaS) wrote:
> Ok, I’ve gotten much closer and can totally de-obfuscate the packet and
> get this…
>
>
>
> 8 10.163.252.27 : Invalid AUTHEN/START packet (check keys)
>
>
>
> Could I also be getting this because the device I am attempting to
> authenticate with is not permitted in an ACL?

No, that is a mismatched or wrong tacacs key being used.

ACL denies give a more explicit error


>
>
>
> Thanks,
>
>
>
> Mitch
>
>
>
> Mitch Raful
> Sr. Network Engineer
> Dimension Data Cloud Business Unit
> 43490 Yukon Drive
> Ashburn, VA 21047
> Office: 703-724-8862
> Cell: 804-363-0731
>
>
>
>
>
> *From: *tac_plus <tac_plus-bounces at shrubbery.net> on behalf of Alan
> McKinnon <alan.mckinnon at gmail.com>
> *Date: *Wednesday, March 15, 2017 at 5:18 AM
> *To: *"tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
> *Subject: *Re: [tac_plus] md5 and tac_plus
>
>
>
>
>
> On 15/03/2017 00:22, Mitch Raful (ITaaS) wrote:
>> I cannot find a Python based tacacs client. I am attempting to write
> one on my own and can’t figure out the md5 data obfuscation. How does
> tac_plus handling that. Does it XOR an md5 hash, and add that hash to
> the session_id + key, version and sequence, and then again if needed?
>
>
> Not quite, but you are on the right track.
>
> There are 2 sources I can think of to fins the correct details:
>
> - There's an unapproved RFC out there from Cisco that despite never
> moving out of draft status, is still the way the tacacs protocol works.
> Usage of the key is in there.
>
> - read the tacacsplus code. I recall reading it once and the relevant
> function was easy to find. don;t have a copy of sources handy to lok for
> you though.
>
> --
> Alan McKinnon
> alan.mckinnon at gmail.com<mailto:alan.mckinnon at gmail.com>
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>
>
>
> itevomcid
>


--
Alan McKinnon
alan.mckinnon at gmail.com<mailto:alan.mckinnon at gmail.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20170316/88906761/attachment.html>


More information about the tac_plus mailing list