Auth succeeds but accouting returns Illegal packet (version=0xc0 type=0x03)

30 views
Skip to first unread message

victor ostorga

unread,
Feb 8, 2024, 3:39:42 PMFeb 8
to Event-Driven Servers
Good day.
Trying to figure this out, requesting for your help:

Authentication and authorization works properly, but accounting is returning "Illegal packet (version=0xc0 type=0x03)".

Captures of the trace in the failing scenario are as follows:

Accounting request:
Screenshot 2024-02-08 141954.png


Accounting response:
Screenshot 2024-02-08 142228.png

Checking against a working accounting device, I've noticed the difference in the 'Auth Method' in accounting request.

A working accounting has
Auth Method: TACACSPLUS (0x06) 
non working accounting
Auth Method: NONE (0x01) 

Screenshot 2024-02-08 143617.png

Could that be the reason the accounting is failing?


kind Regards,

Event-Driven Servers

unread,
Feb 18, 2024, 8:03:33 AMFeb 18
to Event-Driven Servers
Hi
,
"Illegal packet" implies that there's a mismatch in packet length. Looking at the Wireshark output:

9 (header, flags to arg_cnt)
2 (arg_X_len)
14 (user)
3 (port)
12 (rem_addr)
9 (arg 1)
13 (arg 2)

This sums up to 62 bytes. However, the "packet length" from your TACACS+ header specifies 63. The packet is malformed

Cheers,

Marc

Reply all
Reply to author
Forward
0 new messages