Description
This article describes how to decrypt the RADIUS and TACACS+ packets on Wireshark.
In order to troubleshoot RADIUS and TACACS+ authentication, it may be required to decrypt the packet capture and check the attributes sent between the client and the server.
Scope
RADIUS, TACACS+
Solution
When the RADIUS packets are encrypted, the attribute User-Password have value set to encrypted and will not show the password in clear text.
To decrypt this, go to Wireshark to Edit -> Preferences -> Protocols -> Select RADIUS,
enter the Shared Secret value and specify the UDP ports on which the communication between the client and server will take place.
Here, non-default ports can also be entered for RADIUS Traffic such as 1814, if required.
Once the correct shared secret and ports are entered, the Wireshark may show the decrypted values:
Similarly for TACACS+, the Wireshark will not be able to show the encrypted username and password.
To decrypt this, go to Wireshark to Edit -> Preferences -> Protocols, select TACACS+
Enter the Encryption Key as set in the TACACS+ server and enter the TCP port value.
Once all the correct values are provided, Wireshark may show the decrypted request along with the username and password value.
Another way to determine if the TACACS+ packet is decrypted is to check at the bottom of the Wireshark.
If the packet is successfully decrypted, it should show 'TACACS+ Decrypted'.
