Question on SSLv implementation and TACACS mapping.
Article ID: 168679
Updated On:
Products
SSL Visibility Appliance Software
Issue/Introduction
TACACS and SSL Visibility have different privilege scales. When implementing TACACS with SSL Visibility, roles and privileges are duplicated after 7.
Cause
TACACS RFC utilizes a scale of 1 - 15 for privilege roles. SSL Visibility does not have 15 privilege roles, it only offers 7.
TACACS Level SSL Visibility Appliance Role
0 auditor
1 auditor + manage-appliance
2 auditor + manage-policy
3 auditor + manage-appliance + manage-policy
4 auditor + pki
5 auditor + manage-appliance + manage-pki
6 auditor + manage-policy + manage-pki
7 auditor + manage-appliance + manage-policy + manage-pki
TACACS Level SSL Visibility Appliance Role
0 auditor
1 auditor + manage-appliance
2 auditor + manage-policy
3 auditor + manage-appliance + manage-policy
4 auditor + pki
5 auditor + manage-appliance + manage-pki
6 auditor + manage-policy + manage-pki
7 auditor + manage-appliance + manage-policy + manage-pki
Resolution
In order to map to the TACACS draft RFC, SSL Visibility duplicates roles and privileges after 7. Per the draft RFC for TACACS+ :
"Privilege levels are ordered values from 0 to 15 with each level representing a privilege level that is a superset of the next lower value. If a NAS client uses a different privilege level scheme, then mapping must be provided."
"Privilege levels are ordered values from 0 to 15 with each level representing a privilege level that is a superset of the next lower value. If a NAS client uses a different privilege level scheme, then mapping must be provided."
To comply with the mapping requirement, SSL Visibility repeats privileges after 7.
At level 8, it cycles back to SSL Visibility level 0 and ascends again; so level 8=0, level 9=1, and so on.
Feedback
Yes
No
Powered by
