Again two more commonly used network protocols for the Ultimate PCAP: the Remote Authentication Dial-In User Service (RADIUS) and the Terminal Access Controller Access-Control System Plus (TACACS+) protocols. Captured with quite some details:
You can either download the Ultimate PCAP (recommended ;)) or merely these PCAPs:
RADIUS
Quoting Wikipedia: “Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. […] The RADIUS server checks that the information is correct using authentication schemes such as PAP, CHAP or EAP.”
For these tests, I installed FreeRADIUS version 3.0.20 on a Ubuntu 20.04.5 LTS (5.4.0-135-generic x86_64).
At first, I used the “radtest” tool for some very basic query-responses aka request-accept messages. IPv6 and legacy IP, each time with: PAP, CHAP, and MS-CHAP:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
weberjoh@vm30-test1:~$ radtest -t pap -6 bob ThisIsThePassword test2-v6.weberlab.de 10 iNJ72r0uPXP5qhAX Sent Access-Request Id 238 from [::]:51580 to [2001:470:1f0b:16b0:20c:29ff:fea8:26f7]:1812 length 101 User-Name = "bob" User-Password = "ThisIsThePassword" NAS-IPv6-Address = ::1 NAS-Port = 10 Message-Authenticator = 0x00 Cleartext-Password = "ThisIsThePassword" Received Access-Accept Id 238 from [2001:470:1f0b:16b0:20c:29ff:fea8:26f7]:1812 to [::]:0 length 32 Reply-Message = "Hello, bob" weberjoh@vm30-test1:~$ radtest -t chap -6 bob ThisIsThePassword test2-v6.weberlab.de 10 iNJ72r0uPXP5qhAX Sent Access-Request Id 23 from [::]:46192 to [2001:470:1f0b:16b0:20c:29ff:fea8:26f7]:1812 length 86 User-Name = "bob" CHAP-Password = 0xea8d36b4906c71784c75e17983e36cab66 NAS-IPv6-Address = ::1 NAS-Port = 10 Message-Authenticator = 0x00 Cleartext-Password = "ThisIsThePassword" Received Access-Accept Id 23 from [2001:470:1f0b:16b0:20c:29ff:fea8:26f7]:1812 to [::]:0 length 32 Reply-Message = "Hello, bob" weberjoh@vm30-test1:~$ radtest -t mschap -6 bob ThisIsThePassword test2-v6.weberlab.de 10 iNJ72r0uPXP5qhAX Sent Access-Request Id 22 from [::]:60664 to [2001:470:1f0b:16b0:20c:29ff:fea8:26f7]:1812 length 141 User-Name = "bob" MS-CHAP-Password = "ThisIsThePassword" NAS-IPv6-Address = ::1 NAS-Port = 10 Message-Authenticator = 0x00 Cleartext-Password = "ThisIsThePassword" MS-CHAP-Challenge = 0x9cfe6e183debe56d MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000517e32e81fc99c2d05fc072ce33afe6eb5a01a782532c359 Received Access-Accept Id 22 from [2001:470:1f0b:16b0:20c:29ff:fea8:26f7]:1812 to [::]:0 length 96 Reply-Message = "Hello, bob" MS-CHAP-MPPE-Keys = 0x00000000000000001c2e158974b065d412b4456d6ebf7574 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed weberjoh@vm30-test1:~$ weberjoh@vm30-test1:~$ weberjoh@vm30-test1:~$ radtest -t pap bob ThisIsThePassword test2-v4.weberlab.de 10 iNJ72r0uPXP5qhAX Sent Access-Request Id 19 from 0.0.0.0:35337 to 194.247.5.27:1812 length 89 User-Name = "bob" User-Password = "ThisIsThePassword" NAS-IP-Address = 127.0.0.1 NAS-Port = 10 Message-Authenticator = 0x00 Cleartext-Password = "ThisIsThePassword" Received Access-Accept Id 19 from 194.247.5.27:1812 to 0.0.0.0:0 length 32 Reply-Message = "Hello, bob" weberjoh@vm30-test1:~$ radtest -t chap bob ThisIsThePassword test2-v4.weberlab.de 10 iNJ72r0uPXP5qhAX Sent Access-Request Id 52 from 0.0.0.0:41381 to 194.247.5.27:1812 length 74 User-Name = "bob" CHAP-Password = 0xe58f51cf7e8b048d3d8ebbf5837378e277 NAS-IP-Address = 127.0.0.1 NAS-Port = 10 Message-Authenticator = 0x00 Cleartext-Password = "ThisIsThePassword" Received Access-Accept Id 52 from 194.247.5.27:1812 to 0.0.0.0:0 length 32 Reply-Message = "Hello, bob" weberjoh@vm30-test1:~$ radtest -t mschap bob ThisIsThePassword test2-v4.weberlab.de 10 iNJ72r0uPXP5qhAX Sent Access-Request Id 102 from 0.0.0.0:43642 to 194.247.5.27:1812 length 129 User-Name = "bob" MS-CHAP-Password = "ThisIsThePassword" NAS-IP-Address = 127.0.0.1 NAS-Port = 10 Message-Authenticator = 0x00 Cleartext-Password = "ThisIsThePassword" MS-CHAP-Challenge = 0x336bbd41fe6c4c2d MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000004ec1a471e0992133be0bed6a714beffd62802495e0e34a5f Received Access-Accept Id 102 from 194.247.5.27:1812 to 0.0.0.0:0 length 96 Reply-Message = "Hello, bob" MS-CHAP-MPPE-Keys = 0x00000000000000001c2e158974b065d412b4456d6ebf7574 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed |
Secondly, I did some “Test User Credentials” on a Fortinet FortiWiFi FWF-61E with FortiOS 7.0.9 within the RADIUS Servers profile. I did the following methods in that order: PAP, CHAP, MS-CHAP, and MS-CHAP-v2. The FortiGate is not capable of any secure authentication schemes nor communicating via IPv6. (Why is this called a next-gen firewall?)
Thirdly I did some authentication tests on a Palo Alto Networks PA-220 with PAN-OS 10.2.3. I wanted to test some advanced authentication variants of RADIUS that are secured by TLS. Therefore, I ran the “/etc/freeradius/3.0/certs/bootstrap” script on the FreeRADIUS server to get some certificates in place, edited some config files (I don’t remember which one exactly, but in the end, it worked – hahaha), exported the snakeoil root CA, imported it into the Palo Alto NGFW, marked it as “Trusted Root CA”, created an appropriate Certificate Profile, and selected this profile within the RADIUS server profile. (This would be an own blog post just about using secure RADIUS with the PAN. ;)) In the end, I was able to test the following auth protocols: PEAP-MSCHAPv2, PEAP with GTC, and EAP-TTLS with PAP. I did this by selecting the respective method, followed by the useful “test authentication […]” CLI commands. No commit needed to test all those stuff, though freshly configured within the GUI. Great.
This was the output during the tests on the PAN CLI:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
weberjoh@pa> test authentication authentication-profile test2 username bob password Enter password : Target vsys is not specified, user "bob" is assumed to be configured with a shared auth profile. Do allow list check before sending out authentication request... name "bob" is in group "all" Egress: No service source route is set, might use destination source route if configured Test authentication to RADIUS server 2001:470:1f0b:16b0:20c:29ff:fea8:26f7:1812 for user: "bob" (with anonymous outer id) using protocol: PEAP with MSCHAPv2 Successful EAPOL auth. Authentication succeeded against RADIUS server at 2001:470:1f0b:16b0:20c:29ff:fea8:26f7:1812 for user "bob" Authentication succeeded for user "bob" weberjoh@pa> weberjoh@pa> weberjoh@pa> test authentication authentication-profile test2 username bob password Enter password : Target vsys is not specified, user "bob" is assumed to be configured with a shared auth profile. Do allow list check before sending out authentication request... name "bob" is in group "all" Egress: No service source route is set, might use destination source route if configured Test authentication to RADIUS server 2001:470:1f0b:16b0:20c:29ff:fea8:26f7:1812 for user: "bob" (with anonymous outer id) using protocol: PEAP with GTC Successful EAPOL auth. Authentication succeeded against RADIUS server at 2001:470:1f0b:16b0:20c:29ff:fea8:26f7:1812 for user "bob" Authentication succeeded for user "bob" weberjoh@pa> weberjoh@pa> weberjoh@pa> test authentication authentication-profile test2 username bob password Enter password : Target vsys is not specified, user "bob" is assumed to be configured with a shared auth profile. Do allow list check before sending out authentication request... name "bob" is in group "all" Egress: No service source route is set, might use destination source route if configured Test authentication to RADIUS server 2001:470:1f0b:16b0:20c:29ff:fea8:26f7:1812 for user: "bob" (with anonymous outer id) using protocol: EAP-TTLS with PAP Successful EAPOL auth. Authentication succeeded against RADIUS server at 2001:470:1f0b:16b0:20c:29ff:fea8:26f7:1812 for user "bob" Authentication succeeded for user "bob" weberjoh@pa> |
And since I ran the FreeRADIUS server in debug mode, I’ll hand out those debug logs as well, just in case you’re interested. 3320 lines for those 3x auth tests. Wow. ;) Click here to download it.
Wiresharking
For all these tests I used the same RADIUS shared secret of iNJ72r0uPXP5qhAX. Paste it into the Edit -> Preferences -> Protocols -> RADIUS section to have Wireshark decrypt some stuff:
And now, some Wireshark screenshots, while I strongly encourage you to download the Ultimate PCAP and click around it by yourself. Use the display filter of radius.
I’ve only used some basic AVPs here since I did not use RADIUS in production with several different vendors and stuff. However, you get the idea. And there are already enough fields to dig into. ;) Furthermore, I only used RADIUS with UDP (not sure whether TCP is used at all for RADIUS?) and only for authentication on port 1812, not accounting on port 1813. I also missed mistyping the user password to have a reject. Yeah, that’s the way it is.
TACACS+
To simply state the TACACS article on Wikipedia again: “TACACS+ is a Cisco designed extension to TACACS that encrypts the full content of each packet. Moreover, it provides granular control in the form of command-by-command authorization. […] TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol.”
TACACS+ uses TCP as transport and has its well-known port of 49. For my lab, I used an Aruba ClearPass Policy Manager version 6.9.10.134806 as the server and a Cisco ASR1001-X with IOS XE Version 17.03.04a as the client aka NAS. (I apologise for being IPv4-only this time…)
Fortunately, Wireshark is able to decrypt all TACACS+ messages in case the shared secret is provided, which is true for my lab: John3.16. Edit -> Preferences -> Protocols -> TACACS+:
As always, if you want to see the whole TCP sessions aka streams (incl. the three-way handshakes), you have to use a display filter like tcp.port eq 49. The display filter for only the payload of TACACS+ (with the plus) is tacplus. (For the predecessor, which is TACACS without the plus, it is tacacs. But this is not used here.) I did the following steps during the capturing:
- 2x login with a wrong password -> authentication failed
- correct login -> authentication passed
- some CLI commands on the router to have a –> authorization
- and out of the box for TACACS+ –> accounting
That’s it for now. Merry Christmas! ?
Photo by CardMapr.nl on Unsplash.
Great write-up – again :)
My key take away: Wireshark (network packet analysis) can help you understand and verify complex mechanisms that support your business’s IT and security. It will safe valuable time and resources during proof of concept, implementation and operation.