How to decrypt RADIUS traffic using Wireshark with RSA Authentication Manager
4 years ago
Originally Published: 2017-05-19
Article Number
000067693
Applies To
RSA Product Set:  SecurID
RSA Product/ Service Type:  Authentication Manager
RSA Version/Condition:  7.x, 8.1, 8.0, 8.1
Issue
This article explains how to decrypt RADIUS traffic captured by Wireshark when having authentication issues.  Steps in this article explain how to decrypt the traffic to be able to see the username and passcode in plain text.
Resolution
You must know the RADIUS shared secret used in order to decrypt the packets.

You can follow the below steps to be able to decrypt the Radius Packets:
  1. Capture RADIUS authentication traffic.  See 000016395 - TCPDump for the Authentication Manager Appliance 8.x for more information.
  2. Launch the Wireshark app.
  3. Open the capture of of the RADIUS traffic, typically in .pcap format.
  4. Go to Edit > Preferences.
  5. Click the + next to Protocols to expand the tree.
  6. Scroll down and select RADIUS.
  7. Key in the RADIUS shared secret and click Apply.
  8. The passcode in clear text.

The packet capture before entering the RADIUS shared secret:
 
Encrypted Packet

The packet capture after entering the RADIUS shared secret:
Decrypted Packet
Don't see what you're looking for?