From saymon at online.net.br  Tue Nov 13 17:42:09 2018
From: saymon at online.net.br (=?UTF-8?Q?Saymon_Ara=C3=BAjo?=)
Date: Tue, 13 Nov 2018 14:42:09 -0300
Subject: [tac_plus] HWTACACS Compatible - Question
Message-ID: <CAP1YhWu6Zm0hihT3vm=Lse8fSjHaPsxw+3HchUTvqc7gBWJzFg@mail.gmail.com>

Hello,

Can we make your implementation of tacacs+ compatible with HWTacacs ?

Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20181113/ef8b9d82/attachment.html>

From heas at shrubbery.net  Tue Nov 13 19:49:33 2018
From: heas at shrubbery.net (heasley)
Date: Tue, 13 Nov 2018 19:49:33 +0000
Subject: [tac_plus] HWTACACS Compatible - Question
In-Reply-To: <CAP1YhWu6Zm0hihT3vm=Lse8fSjHaPsxw+3HchUTvqc7gBWJzFg@mail.gmail.com>
References: <CAP1YhWu6Zm0hihT3vm=Lse8fSjHaPsxw+3HchUTvqc7gBWJzFg@mail.gmail.com>
Message-ID: <20181113194933.GC61665@shrubbery.net>

Tue, Nov 13, 2018 at 02:42:09PM -0300, Saymon Ara?jo:
> Hello,
> 
> Can we make your implementation of tacacs+ compatible with HWTacacs ?

no, sorry.  only tacacs+


From saymon at online.net.br  Tue Nov 13 19:53:55 2018
From: saymon at online.net.br (=?UTF-8?Q?Saymon_Ara=C3=BAjo?=)
Date: Tue, 13 Nov 2018 16:53:55 -0300
Subject: [tac_plus] HWTACACS Compatible - Question
In-Reply-To: <20181113194933.GC61665@shrubbery.net>
References: <CAP1YhWu6Zm0hihT3vm=Lse8fSjHaPsxw+3HchUTvqc7gBWJzFg@mail.gmail.com>
 <20181113194933.GC61665@shrubbery.net>
Message-ID: <CAP1YhWuBvY7+8w8Mo44YR4=7E6oXBwLHV=FvKn4WfzL1rxi_fg@mail.gmail.com>

Hello,

On the Huawei documentation they said that its compatible, but some headers
maybe be different.
On my switches I can log in using tacacs+ users, but the permissions of the
users are wrong.

Regards,



Em ter, 13 de nov de 2018 ?s 16:49, heasley <heas at shrubbery.net> escreveu:

> Tue, Nov 13, 2018 at 02:42:09PM -0300, Saymon Ara?jo:
> > Hello,
> >
> > Can we make your implementation of tacacs+ compatible with HWTacacs ?
>
> no, sorry.  only tacacs+
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20181113/e454ec53/attachment.html>

From heas at shrubbery.net  Tue Nov 13 23:31:44 2018
From: heas at shrubbery.net (heasley)
Date: Tue, 13 Nov 2018 23:31:44 +0000
Subject: [tac_plus] HWTACACS Compatible - Question
In-Reply-To: <CAP1YhWuBvY7+8w8Mo44YR4=7E6oXBwLHV=FvKn4WfzL1rxi_fg@mail.gmail.com>
References: <CAP1YhWu6Zm0hihT3vm=Lse8fSjHaPsxw+3HchUTvqc7gBWJzFg@mail.gmail.com>
 <20181113194933.GC61665@shrubbery.net>
 <CAP1YhWuBvY7+8w8Mo44YR4=7E6oXBwLHV=FvKn4WfzL1rxi_fg@mail.gmail.com>
Message-ID: <20181113233144.GI61665@shrubbery.net>

Tue, Nov 13, 2018 at 04:53:55PM -0300, Saymon Ara?jo:
> Hello,
> 
> On the Huawei documentation they said that its compatible, but some headers
> maybe be different.
> On my switches I can log in using tacacs+ users, but the permissions of the
> users are wrong.
> 
> Regards,

I have no experience with it, but glancing through the RFC, I concluded
that there seemed to be non-trivial differences that I do not expect to
work with daemon.  I could be wrong.  Does the device not support
tacacs+?

> 
> 
> Em ter, 13 de nov de 2018 ?s 16:49, heasley <heas at shrubbery.net> escreveu:
> 
> > Tue, Nov 13, 2018 at 02:42:09PM -0300, Saymon Ara?jo:
> > > Hello,
> > >
> > > Can we make your implementation of tacacs+ compatible with HWTacacs ?
> >
> > no, sorry.  only tacacs+
> >


From saymon at online.net.br  Wed Nov 14 00:59:53 2018
From: saymon at online.net.br (=?UTF-8?Q?Saymon_Ara=C3=BAjo?=)
Date: Tue, 13 Nov 2018 21:59:53 -0300
Subject: [tac_plus] HWTACACS Compatible - Question
In-Reply-To: <20181113233144.GI61665@shrubbery.net>
References: <CAP1YhWu6Zm0hihT3vm=Lse8fSjHaPsxw+3HchUTvqc7gBWJzFg@mail.gmail.com>
 <20181113194933.GC61665@shrubbery.net>
 <CAP1YhWuBvY7+8w8Mo44YR4=7E6oXBwLHV=FvKn4WfzL1rxi_fg@mail.gmail.com>
 <20181113233144.GI61665@shrubbery.net>
Message-ID: <CAP1YhWvZZqsip0FhfS5_tX5n4UZ2jPGaNCHf_5LXQHF=u5X0fA@mail.gmail.com>

Hello,

Not, all the routers and switchs from Huawei uses HWTacacs. In Huawei
documentation says this:

HWTACACS and the TACACS+ protocols of other vendors support authentication,
authorization, and accounting. HWTACACS and TACACS+ are identical in
authentication process and implementation mechanism. That is, they are
compatible with each other at the protocol layer. For example, a device
running HWTACACS can communicate with a Cisco server (such as ACS).
However, HWTACACS may not be compatible with Cisco extended attributes
because different vendors define different fields and meanings for extended
attributes.
In some other link the protocols do looks like about the same.
http://support.huawei.com/enterprise/en/doc/EDOC1000177218?section=j005

For exemple, tacacs+ header:

All TACACS+ packets begin with the following 12 byte header. The header
describes the remainder of the packet:

 1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+
|major  | minor  |                |                |                |
|version| version|      type      |     seq_no     |   flags        |
+----------------+----------------+----------------+----------------+
|                                                                   |
|                            session_id                             |
+----------------+----------------+----------------+----------------+
|                                                                   |
|                              length                               |
+----------------+----------------+----------------+----------------+

HWTacacs Header:

Fields in HWTACACS packet header
FieldDescription
major version Major version of the HWTACACS protocol. The current version
is 0xc.
minor version Minor version of the HWTACACS protocol. The current version
is 0x0.
type HWTACACS protocol packet type, including authentication (0x01),
authorization (0x02), and accounting (0x03).
seq_no Packet sequence number in a session, ranging from 1 to 254.
flags Encryption flag on the packet body. Only the first bit among the 8
bits is supported. The value 0 indicates to encrypt the packet body, and
the value 1 indicates not to encrypt the packet body.
session_id Session ID, which is the unique identifier of a session.
length Length of the HWTACACS packet body, excluding the packet header.

Atenciosamente,



Em ter, 13 de nov de 2018 ?s 20:31, heasley <heas at shrubbery.net> escreveu:

> Tue, Nov 13, 2018 at 04:53:55PM -0300, Saymon Ara?jo:
> > Hello,
> >
> > On the Huawei documentation they said that its compatible, but some
> headers
> > maybe be different.
> > On my switches I can log in using tacacs+ users, but the permissions of
> the
> > users are wrong.
> >
> > Regards,
>
> I have no experience with it, but glancing through the RFC, I concluded
> that there seemed to be non-trivial differences that I do not expect to
> work with daemon.  I could be wrong.  Does the device not support
> tacacs+?
>
> >
> >
> > Em ter, 13 de nov de 2018 ?s 16:49, heasley <heas at shrubbery.net>
> escreveu:
> >
> > > Tue, Nov 13, 2018 at 02:42:09PM -0300, Saymon Ara?jo:
> > > > Hello,
> > > >
> > > > Can we make your implementation of tacacs+ compatible with HWTacacs ?
> > >
> > > no, sorry.  only tacacs+
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20181113/919ce911/attachment.html>

From bferrell at baywinds.org  Wed Nov 14 03:02:50 2018
From: bferrell at baywinds.org (Bruce Ferrell)
Date: Tue, 13 Nov 2018 19:02:50 -0800
Subject: [tac_plus] HWTACACS Compatible - Question
In-Reply-To: <20181113233144.GI61665@shrubbery.net>
References: <CAP1YhWu6Zm0hihT3vm=Lse8fSjHaPsxw+3HchUTvqc7gBWJzFg@mail.gmail.com>
 <20181113194933.GC61665@shrubbery.net>
 <CAP1YhWuBvY7+8w8Mo44YR4=7E6oXBwLHV=FvKn4WfzL1rxi_fg@mail.gmail.com>
 <20181113233144.GI61665@shrubbery.net>
Message-ID: <76296832-a737-d68f-680d-57f472739582@baywinds.org>

On 11/13/18 3:31 PM, heasley wrote:
> Tue, Nov 13, 2018 at 04:53:55PM -0300, Saymon Ara?jo:
>> Hello,
>>
>> On the Huawei documentation they said that its compatible, but some headers
>> maybe be different.
>> On my switches I can log in using tacacs+ users, but the permissions of the
>> users are wrong.
>>
>> Regards,
> I have no experience with it, but glancing through the RFC, I concluded
> that there seemed to be non-trivial differences that I do not expect to
> work with daemon.  I could be wrong.  Does the device not support
> tacacs+?
>
>>
>> Em ter, 13 de nov de 2018 ?s 16:49, heasley <heas at shrubbery.net> escreveu:
>>
>>> Tue, Nov 13, 2018 at 02:42:09PM -0300, Saymon Ara?jo:
>>>> Hello,
>>>>
>>>> Can we make your implementation of tacacs+ compatible with HWTacacs ?
>>> no, sorry.  only tacacs+
>>>
I have what I term a "dirty wireshark trick" for debugging this type of thing and often get people yelling at me for it, telling me to look at the logs but it's worked every time 
I've done it. Sometimes the logs don't tell me what I need to see or I have to fiddle with them.

This assumes you know the shared secret.? It you don't, this has no way to work.

collect a packet capture of the traffic between? a working device and the tacacs(+) server in question.

The do it again for the non working device.

Start wireshark and go to edit/preferences/protocols. Locate tacacs+ in the list and click on it.

Put the shared secret into the field for TACACS+ encryption key.

now open each of the capture files with wireshark.? You can now see the data, including attributes requested and received.

When you're done, be sure to clear the key in wireshark




From saymon at online.net.br  Wed Nov 14 10:40:17 2018
From: saymon at online.net.br (=?UTF-8?Q?Saymon_Ara=C3=BAjo?=)
Date: Wed, 14 Nov 2018 07:40:17 -0300
Subject: [tac_plus] HWTACACS Compatible - Question
In-Reply-To: <76296832-a737-d68f-680d-57f472739582@baywinds.org>
References: <CAP1YhWu6Zm0hihT3vm=Lse8fSjHaPsxw+3HchUTvqc7gBWJzFg@mail.gmail.com>
 <20181113194933.GC61665@shrubbery.net>
 <CAP1YhWuBvY7+8w8Mo44YR4=7E6oXBwLHV=FvKn4WfzL1rxi_fg@mail.gmail.com>
 <20181113233144.GI61665@shrubbery.net>
 <76296832-a737-d68f-680d-57f472739582@baywinds.org>
Message-ID: <CAP1YhWvuK8yEXE4vn8GkuvoPRpk8V2r87crte1-GP3z0M4CKfA@mail.gmail.com>

Hello,

Thank you Bruce. I will do that and return with the results.
Thank you all for the attention.

Regards,



Em qua, 14 de nov de 2018 ?s 00:02, Bruce Ferrell <bferrell at baywinds.org>
escreveu:

> On 11/13/18 3:31 PM, heasley wrote:
> > Tue, Nov 13, 2018 at 04:53:55PM -0300, Saymon Ara?jo:
> >> Hello,
> >>
> >> On the Huawei documentation they said that its compatible, but some
> headers
> >> maybe be different.
> >> On my switches I can log in using tacacs+ users, but the permissions of
> the
> >> users are wrong.
> >>
> >> Regards,
> > I have no experience with it, but glancing through the RFC, I concluded
> > that there seemed to be non-trivial differences that I do not expect to
> > work with daemon.  I could be wrong.  Does the device not support
> > tacacs+?
> >
> >>
> >> Em ter, 13 de nov de 2018 ?s 16:49, heasley <heas at shrubbery.net>
> escreveu:
> >>
> >>> Tue, Nov 13, 2018 at 02:42:09PM -0300, Saymon Ara?jo:
> >>>> Hello,
> >>>>
> >>>> Can we make your implementation of tacacs+ compatible with HWTacacs ?
> >>> no, sorry.  only tacacs+
> >>>
> I have what I term a "dirty wireshark trick" for debugging this type of
> thing and often get people yelling at me for it, telling me to look at the
> logs but it's worked every time
> I've done it. Sometimes the logs don't tell me what I need to see or I
> have to fiddle with them.
>
> This assumes you know the shared secret.  It you don't, this has no way to
> work.
>
> collect a packet capture of the traffic between  a working device and the
> tacacs(+) server in question.
>
> The do it again for the non working device.
>
> Start wireshark and go to edit/preferences/protocols. Locate tacacs+ in
> the list and click on it.
>
> Put the shared secret into the field for TACACS+ encryption key.
>
> now open each of the capture files with wireshark.  You can now see the
> data, including attributes requested and received.
>
> When you're done, be sure to clear the key in wireshark
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20181114/f3b2ca9d/attachment.html>