On our current config we have this...
Aaa authentication login default group tacacs+ local
Aaa authorization config-commands
Aaa authorization exec default group tacacs+ local
Aaa authorization commands 15 default group tacacs+ if-authenticated
In tacacs we have each user in a group. Each group calls upon a command authorization set. In the command set we have denied enable, but we are still able to run enable. The other commands that we test work fine. Any suggestions? Are we able to deny enable at all?
Add the following commands on the device:
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated