Question on SSLv implementation and TACACS mapping.

book

Article ID: 168679

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

TACACS and SSL Visibility have different privilege scales. When implementing TACACS with SSL Visibility, roles and privileges are duplicated after 7.

Cause

TACACS RFC utilizes a scale of 1 - 15 for privilege roles.  SSL Visibility does not have 15 privilege roles, it only offers 7.

TACACS Level SSL Visibility Appliance Role
0 auditor
1 auditor + manage-appliance
2 auditor + manage-policy
3 auditor + manage-appliance + manage-policy
4 auditor + pki
5 auditor + manage-appliance + manage-pki
6 auditor + manage-policy + manage-pki
7 auditor + manage-appliance + manage-policy + manage-pki

Resolution

In order to map to the TACACS draft RFC, SSL Visibility duplicates roles and privileges after 7.  Per the draft RFC for TACACS+ :

"Privilege levels are ordered values from 0 to 15 with each level representing a privilege level that is a superset of the  next  lower value.  If a NAS client uses a different privilege level scheme, then mapping must be provided."

To comply with the mapping requirement, SSL Visibility repeats privileges after 7.

At level 8, it cycles back to SSL Visibility level 0 and ascends again; so level 8=0, level 9=1, and so on.