More comments in-line... At 11:23 23/12/97 PST, Coaxial Karma wrote: >Hi, > >I dunno if what follows has already been posted or not... Sorry if it >has >been. > >I recently discovered that when a Terminal Server (TS) was using XTACACS >as authentication protocol, it was possible to make the XTACACS server >believes that you've disconnected. > >In order to exploit this, you only have to send an xlogout request to >the >XTACACS server claiming to be from the TS. Here is an example: 1) please note my affiliation to assert my bias ;-) 2) you should really neither use the old TACACS nor XTACACS but rather RADIUS or TACACS+: - they are available in free source code in C - they protect/authenticate the packets by a shared secret between the Access Control Server and the Access Router/Firewall (Radius encrypts only the password so have less confidentiality that TACACS+ which encrypts almost everything) - Radius and TACACS+ are widely supported Best regards -eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evynckeat_private Mobile: +32-75-312.458
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:35 PDT