FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
auppal
Staff
Staff
Description

 

This article describes how to decrypt the RADIUS and TACACS+ packets on Wireshark.

 

In order to troubleshoot RADIUS and TACACS+ authentication, it may be required to decrypt the packet capture and check the attributes sent between the client and the server.

 

Scope

 

RADIUS, TACACS+

 

Solution

 

When the RADIUS packets are encrypted, the attribute User-Password have value set to encrypted and will not show the password in clear text.

 

rad-enc.png

 

To decrypt this, go to Wireshark to Edit -> Preferences -> Protocols -> Select RADIUS,

enter the Shared Secret value and specify the UDP ports on which the communication between the client and server will take place. 

 rad-ports.png

 

Here, non-default ports can also be entered for RADIUS Traffic such as 1814, if required.

Once the correct shared secret and ports are entered, the Wireshark may show the decrypted values:

 

rad-dec.png

 

Similarly for TACACS+, the Wireshark will not be able to show the encrypted username and password.

 

Tacacs+Encrypted.png

 

To decrypt this, go to Wireshark to Edit -> Preferences -> Protocols, select TACACS+

Enter the Encryption Key as set in the TACACS+ server and enter the TCP port value.

 

Enc-select.png

 

Once all the correct values are provided, Wireshark may show the decrypted request along with the username and password value.

Another way to determine if the TACACS+ packet is decrypted is to check at the bottom of the Wireshark.

If the packet is successfully decrypted, it should show 'TACACS+ Decrypted'.

 

tac-dec.png