From: Ken.Farrington@barclayscapital.com
Date: Sun Oct 05 2003 - 17:12:24 GMT-3
This is better
No. Time Source Destination Protocol
Info
42 24.326778 142.220.200.1 192.168.69.21 TCP
11007 > 49 [SYN] Seq=3322188603 Ack=0 Win=4128 Len=0
43 24.326918 192.168.69.21 142.220.200.1 TCP 49
> 11007 [SYN, ACK] Seq=1275988310 Ack=3322188604 Win=5840 Len=0
44 24.328129 142.220.200.1 192.168.69.21 TCP
11007 > 49 [ACK] Seq=3322188604 Ack=1275988311 Win=4128 Len=0
45 24.428857 142.220.200.1 192.168.69.21 TACACS+
Request
46 24.429001 192.168.69.21 142.220.200.1 TCP 49
> 11007 [ACK] Seq=1275988311 Ack=3322188633 Win=5840 Len=0
47 24.429213 192.168.69.21 142.220.200.1 TACACS+
Response
48 24.628780 142.220.200.1 192.168.69.21 TCP
11007 > 49 [ACK] Seq=3322188633 Ack=1275988366 Win=4073 Len=0
67 55.592586 142.220.200.1 192.168.69.21 TACACS+
Request
68 55.593114 192.168.69.21 142.220.200.1 TCP 49
> 11007 [FIN, ACK] Seq=1275988366 Ack=3322188664 Win=5840 Len=0
69 55.594042 142.220.200.1 192.168.69.21 TCP
11007 > 49 [ACK] Seq=3322188664 Ack=1275988367 Win=4073 Len=0
72 57.592706 142.220.200.1 192.168.69.21 TCP
11007 > 49 [FIN, PSH, ACK] Seq=3322188664 Ack=1275988367 Win=4073 Len=0
73 57.592910 192.168.69.21 142.220.200.1 TCP 49
> 11007 [ACK] Seq=1275988367 Ack=3322188665 Win=5840 Len=0
-----Original Message-----
From: Farrington, Ken: IT (LDN)
Sent: 05 October 2003 21:10
To: 'groupstudy@cconlinelabs.com'; Farrington, Ken: IT (LDN);
ccielab@groupstudy.com
Subject: RE: TACACs Authentication Traffic Analysis
All,
I have just downloaded and installed tac_plus for redhat and got my NASs
authenticating with my linux bos.
below are 6 packets traced to show use the correct awnser.
Yout right Tony about the source interfaces and PZ about the ports :0 many
thx
============================================================================
========
Frame 42 (60 on wire, 60 captured)
Arrival Time: Oct 6, 2003 04:51:34.713176000
Time delta from previous packet: 0.001756000 seconds
Time relative to first packet: 24.326778000 seconds
Frame Number: 42
Packet Length: 60 bytes
Capture Length: 60 bytes
Ethernet II
Destination: 00:10:f6:a8:18:00 (Cisco_a8:18:00)
Source: 00:00:0c:5c:b7:19 (Cisco_5c:b7:19)
Type: IP (0x0800)
Trailer: 0000
Internet Protocol, Src Addr: 142.220.200.1 (142.220.200.1), Dst Addr:
192.168.69.21 (192.168.69.21)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 44
Identification: 0x0000
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: TCP (0x06)
Header checksum: 0x57da (correct)
Source: 142.220.200.1 (142.220.200.1)
Destination: 192.168.69.21 (192.168.69.21)
Transmission Control Protocol, Src Port: 11007 (11007), Dst Port: 49 (49),
Seq: 3322188603, Ack: 0, Len: 0
Source port: 11007 (11007)
Destination port: 49 (49)
Sequence number: 3322188603
Header length: 24 bytes
Flags: 0x0002 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 4128
Checksum: 0xa340 (correct)
Options: (4 bytes)
Maximum segment size: 536 bytes
Frame 43 (60 on wire, 60 captured)
Arrival Time: Oct 6, 2003 04:51:34.713316000
Time delta from previous packet: 0.000140000 seconds
Time relative to first packet: 24.326918000 seconds
Frame Number: 43
Packet Length: 60 bytes
Capture Length: 60 bytes
Ethernet II
Destination: 00:00:0c:5c:b7:19 (Cisco_5c:b7:19)
Source: 00:10:f6:a8:18:00 (Cisco_a8:18:00)
Type: IP (0x0800)
Trailer: 0000
Internet Protocol, Src Addr: 192.168.69.21 (192.168.69.21), Dst Addr:
142.220.200.1 (142.220.200.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 44
Identification: 0x0000
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 63
Protocol: TCP (0x06)
Header checksum: 0xd7da (correct)
Source: 192.168.69.21 (192.168.69.21)
Destination: 142.220.200.1 (142.220.200.1)
Transmission Control Protocol, Src Port: 49 (49), Dst Port: 11007 (11007),
Seq: 1275988310, Ack: 3322188604, Len: 0
Source port: 49 (49)
Destination port: 11007 (11007)
Sequence number: 1275988310
Acknowledgement number: 3322188604
Header length: 24 bytes
Flags: 0x0012 (SYN, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 5840
Checksum: 0x437f (correct)
Options: (4 bytes)
Maximum segment size: 1460 bytes
Frame 44 (60 on wire, 60 captured)
Arrival Time: Oct 6, 2003 04:51:34.714527000
Time delta from previous packet: 0.001211000 seconds
Time relative to first packet: 24.328129000 seconds
Frame Number: 44
Packet Length: 60 bytes
Capture Length: 60 bytes
Ethernet II
Destination: 00:10:f6:a8:18:00 (Cisco_a8:18:00)
Source: 00:00:0c:5c:b7:19 (Cisco_5c:b7:19)
Type: IP (0x0800)
Trailer: 000000000000
Internet Protocol, Src Addr: 142.220.200.1 (142.220.200.1), Dst Addr:
192.168.69.21 (192.168.69.21)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0x0001
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: TCP (0x06)
Header checksum: 0x57dd (correct)
Source: 142.220.200.1 (142.220.200.1)
Destination: 192.168.69.21 (192.168.69.21)
Transmission Control Protocol, Src Port: 11007 (11007), Dst Port: 49 (49),
Seq: 3322188604, Ack: 1275988311, Len: 0
Source port: 11007 (11007)
Destination port: 49 (49)
Sequence number: 3322188604
Acknowledgement number: 1275988311
Header length: 20 bytes
Flags: 0x0010 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 4128
Checksum: 0x61ec (correct)
Frame 45 (83 on wire, 83 captured)
Arrival Time: Oct 6, 2003 04:51:34.815255000
Time delta from previous packet: 0.100728000 seconds
Time relative to first packet: 24.428857000 seconds
Frame Number: 45
Packet Length: 83 bytes
Capture Length: 83 bytes
Ethernet II
Destination: 00:10:f6:a8:18:00 (Cisco_a8:18:00)
Source: 00:00:0c:5c:b7:19 (Cisco_5c:b7:19)
Type: IP (0x0800)
Internet Protocol, Src Addr: 142.220.200.1 (142.220.200.1), Dst Addr:
192.168.69.21 (192.168.69.21)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 69
Identification: 0x0002
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: TCP (0x06)
Header checksum: 0x57bf (correct)
Source: 142.220.200.1 (142.220.200.1)
Destination: 192.168.69.21 (192.168.69.21)
Transmission Control Protocol, Src Port: 11007 (11007), Dst Port: 49 (49),
Seq: 3322188604, Ack: 1275988311, Len: 29
Source port: 11007 (11007)
Destination port: 49 (49)
Sequence number: 3322188604
Next sequence number: 3322188633
Acknowledgement number: 1275988311
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 4128
Checksum: 0xfcb2 (correct)
TACACS+
Major version: TACACS+
Minor version: 0
Type: Authentication (1)
Sequence number: 1
Flags: Encrypted payload, Multiple Connections (0x00)
.... ...0 = Payload type: Encrypted
.... .0.. = Connection type: Multiple
Session ID: 1798441856
Packet length: 17
Encrypted payload
Frame 46 (60 on wire, 60 captured)
Arrival Time: Oct 6, 2003 04:51:34.815399000
Time delta from previous packet: 0.000144000 seconds
Time relative to first packet: 24.429001000 seconds
Frame Number: 46
Packet Length: 60 bytes
Capture Length: 60 bytes
Ethernet II
Destination: 00:00:0c:5c:b7:19 (Cisco_5c:b7:19)
Source: 00:10:f6:a8:18:00 (Cisco_a8:18:00)
Type: IP (0x0800)
Trailer: 000000000000
Internet Protocol, Src Addr: 192.168.69.21 (192.168.69.21), Dst Addr:
142.220.200.1 (142.220.200.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0xb17a
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 63
Protocol: TCP (0x06)
Header checksum: 0x2664 (correct)
Source: 192.168.69.21 (192.168.69.21)
Destination: 142.220.200.1 (142.220.200.1)
Transmission Control Protocol, Src Port: 49 (49), Dst Port: 11007 (11007),
Seq: 1275988311, Ack: 3322188633, Len: 0
Source port: 49 (49)
Destination port: 11007 (11007)
Sequence number: 1275988311
Acknowledgement number: 3322188633
Header length: 20 bytes
Flags: 0x0010 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 5840
Checksum: 0x5b1f (correct)
Frame 47 (109 on wire, 109 captured)
Arrival Time: Oct 6, 2003 04:51:34.815611000
Time delta from previous packet: 0.000212000 seconds
Time relative to first packet: 24.429213000 seconds
Frame Number: 47
Packet Length: 109 bytes
Capture Length: 109 bytes
Ethernet II
Destination: 00:00:0c:5c:b7:19 (Cisco_5c:b7:19)
Source: 00:10:f6:a8:18:00 (Cisco_a8:18:00)
Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.69.21 (192.168.69.21), Dst Addr:
142.220.200.1 (142.220.200.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 95
Identification: 0xb17b
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 63
Protocol: TCP (0x06)
Header checksum: 0x262c (correct)
Source: 192.168.69.21 (192.168.69.21)
Destination: 142.220.200.1 (142.220.200.1)
Transmission Control Protocol, Src Port: 49 (49), Dst Port: 11007 (11007),
Seq: 1275988311, Ack: 3322188633, Len: 55
Source port: 49 (49)
Destination port: 11007 (11007)
Sequence number: 1275988311
Next sequence number: 1275988366
Acknowledgement number: 3322188633
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 5840
Checksum: 0x1d09 (correct)
TACACS+
Major version: TACACS+
Minor version: 0
Type: Authentication (1)
Sequence number: 2
Flags: Encrypted payload, Multiple Connections (0x00)
.... ...0 = Payload type: Encrypted
.... .0.. = Connection type: Multiple
Session ID: 1798441856
Packet length: 43
Encrypted payload
Frame 48 (60 on wire, 60 captured)
Arrival Time: Oct 6, 2003 04:51:35.015178000
Time delta from previous packet: 0.199567000 seconds
Time relative to first packet: 24.628780000 seconds
Frame Number: 48
Packet Length: 60 bytes
Capture Length: 60 bytes
Ethernet II
Destination: 00:10:f6:a8:18:00 (Cisco_a8:18:00)
Source: 00:00:0c:5c:b7:19 (Cisco_5c:b7:19)
Type: IP (0x0800)
Trailer: 000000000000
Internet Protocol, Src Addr: 142.220.200.1 (142.220.200.1), Dst Addr:
192.168.69.21 (192.168.69.21)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0x0003
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: TCP (0x06)
Header checksum: 0x57db (correct)
Source: 142.220.200.1 (142.220.200.1)
Destination: 192.168.69.21 (192.168.69.21)
Transmission Control Protocol, Src Port: 11007 (11007), Dst Port: 49 (49),
Seq: 3322188633, Ack: 1275988366, Len: 0
Source port: 11007 (11007)
Destination port: 49 (49)
Sequence number: 3322188633
Acknowledgement number: 1275988366
Header length: 20 bytes
Flags: 0x0010 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 4073
Checksum: 0x61cf (correct)
============================================================================
========
-----Original Message-----
From: Tony Schaffran [mailto:groupstudy@cconlinelabs.com]
Sent: 05 October 2003 16:32
To: Ken.Farrington@barclayscapital.com; ccielab@groupstudy.com
Subject: RE: TACACs Authentication Traffic Analysis
A router configured with AAA speaks to TACACS using destination port TCP 49.
I believe the source port is also TCP 49. It will use the interface IP
address you are communicating to the TACACS unless you specify a TACACS
source address on the router. You can specify any interface on the router.
I hope that helps a little. One source for this type of information is the
CCIE Self Study Exam Certification Guide for Security.
Tony Schaffran
Network Analyst
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE
www.cconlinelabs.com
Your #1 choice for online Cisco rack rentals.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ken.Farrington@barclayscapital.com
Sent: Sunday, October 05, 2003 8:19 AM
To: ccielab@groupstudy.com
Subject: TACACs Authentication Traffic Analysis
V.quick one
I login into a router with tacacs enabled. I type my username/password
How does the router speak to the server, is it tcp or udp on port 49? and
what are the tcp/udp source ports/ip address does it use - I take it the
dest ports are 49
be handy if anyone know where this info is.
Imany thx
------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.
Internet communications are not secure and therefore the Barclays
Group does not accept legal responsibility for the contents of this
message. Although the Barclays Group operates anti-virus programmes,
it does not accept responsibility for any damage whatsoever that is
caused by viruses being passed. Any views or opinions presented are
solely those of the author and do not necessarily represent those of the
Barclays Group. Replies to this email may be monitored by the Barclays
Group for operational or business reasons.
------------------------------------------------------------------------
***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:57 GMT-3