000035182 - How to decrypt RADIUS traffic using Wireshark with RSA Authentication Manager

Document created by RSA Customer Support Employee on Jun 6, 2017Last modified by RSA Customer Support Employee on Jun 6, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035182
Applies ToRSA Product Set:  SecurID
RSA Product/ Service Type:  Authentication Manager
RSA Version/Condition:  7.x, 8.1, 8.0, 8.1
IssueThis article explains how to decrypt RADIUS traffic captured by Wireshark when having authentication issues.  Steps in this article explain how to decrypt the traffic to be able to see the username and passcode in plain text.
ResolutionYou must know the RADIUS shared secret used in order to decrypt the packets.
You can follow the below steps to be able to decrypt the Radius Packets:
  1. Capture RADIUS authentication traffic.  See 000016395 - TCPDump for the Authentication Manager Appliance 8.x for more information.
  2. Launch the Wireshark app.
  3. Open the capture of of the RADIUS traffic, typically in .pcap format.
  4. Go to Edit > Preferences.
  5. Click the + next to Protocols to expand the tree.
  6. Scroll down and select RADIUS.
  7. Key in the RADIUS shared secret and click Apply.
  8. The passcode in clear text.
The packet capture before entering the RADIUS shared secret:
Encrypted Packet

The packet capture after entering the RADIUS shared secret:

Decrypted Packet