I have a simple config on my router:
aaa authentication login default group radius local
aaa authorization exec default group radius
My ACS user account is a member of an unmodified group on the ACS server. I have not set a privilege level in the Cisco-AV pair nor have I set the Service Type. The user is able to log in but does not go directly to privilege exec. The enable secret must still be supplied.
I successfully capture the RADIUS Access Request and Accept messages on the ACS server. If I configure the priv level and frame type on ACS, they are returned in the Accept message.
If I don't configure the priv level or the frames protocol shouldn't authorization fail? I don't see why the exec session is being granted if it is not specified in ACS.
Any insight on my config is appreciated.