[tac_plus] HWTACACS Compatible - Question

[Bruce Ferrell]

On 11/13/18 3:31 PM, heasley wrote:
> Tue, Nov 13, 2018 at 04:53:55PM -0300, Saymon Ara�jo:
>> Hello,
>>
>> On the Huawei documentation they said that its compatible, but some headers
>> maybe be different.
>> On my switches I can log in using tacacs+ users, but the permissions of the
>> users are wrong.
>>
>> Regards,
> I have no experience with it, but glancing through the RFC, I concluded
> that there seemed to be non-trivial differences that I do not expect to
> work with daemon.  I could be wrong.  Does the device not support
> tacacs+?
>
>>
>> Em ter, 13 de nov de 2018 �s 16:49, heasley <heas at shrubbery.net> escreveu:
>>
>>> Tue, Nov 13, 2018 at 02:42:09PM -0300, Saymon Ara�jo:
>>>> Hello,
>>>>
>>>> Can we make your implementation of tacacs+ compatible with HWTacacs ?
>>> no, sorry.  only tacacs+
>>>
I have what I term a "dirty wireshark trick" for debugging this type of thing and often get people yelling at me for it, telling me to look at the logs but it's worked every time 
I've done it. Sometimes the logs don't tell me what I need to see or I have to fiddle with them.

This assumes you know the shared secret.  It you don't, this has no way to work.

collect a packet capture of the traffic between  a working device and the tacacs(+) server in question.

The do it again for the non working device.

Start wireshark and go to edit/preferences/protocols. Locate tacacs+ in the list and click on it.

Put the shared secret into the field for TACACS+ encryption key.

now open each of the capture files with wireshark.  You can now see the data, including attributes requested and received.

When you're done, be sure to clear the key in wireshark