It don't work with this command. I don' come directly to privelege-mode. The user has the priv 15 level.

Regards

Pascal

Pascal,

That is not possible it should work. Can you get me the debugs and current config,

debug aaa authorization

debug aaa authentication

terminal mon

Regards,

~JG

You have right. With telnet it works. It dont't work by the console. I attached my config and the debug. The debug show the loggin from the console.

Thank you for your help!!

Regards

Pascal

Hello JG

Now, it works fine.

Thank you very much for your support!

Regards Pascal

Jong,

This is what we should have on router and make sure you have priv 15 defined for the user.

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

On tacacs

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Now it should let you in directly to enable mode.

Regards,

~JG

Do rate helpful posts

Hi JG,

I really appreciate your help. I have here the complete AAA command on my router. I just remember that I've issued a "privilege exec/commad/configure level" before this problem. Is there anything i need to check on my privilege config?

Im pretty sure much sure that I have the correct config on my ACS coz 9 out of my 10 routers working fine with authentication, authorization and accounting.

aaa new-model

!

!

aaa authentication login c3auth group tacacs+ local

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa authorization exec c3auth group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 5 c3auth group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting session-duration ntp-adjusted

aaa accounting exec c3auth start-stop group tacacs+

aaa accounting commands 5 c3auth start-stop group tacacs+

aaa accounting commands 15 c3auth start-stop group tacacs+

aaa accounting connection c3auth start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

tacacs-server host xxxxx

tacacs-server directed-request

tacacs-server key xxxxx

privilege voipdialpeer level 5 shutdown

privilege controller level 5 shutdown

privilege interface level 5 shutdown

!

privilege configure level 5 line

privilege configure level 5 dial-peer voice

privilege configure level 5 dial-peer

privilege configure level 5 interface

privilege configure level 5 controller

privilege exec all level 5 configure terminal

privilege exec level 5 configure

privilege exec level 4 show dial-peer

privilege exec level 5 show call active voice

privilege exec level 5 show call active

privilege exec level 5 show call

privilege exec level 4 show interfaces

privilege exec level 5 show running-config

privilege exec level 5 show configuration

privilege exec level 5 show

privilege exec level 5 clear counters

privilege exec level 5 clear

Regards,

Jong

Jong,

I don't think there is any need to have local priv lvl defined in the router itself, since we have acs in place. Let ACS take care of the priv and command authorization.

My suggestion is to config router as per below mentioned commands,

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down.

Regards,

~JG

Do rate helpful posts

Hi JG,

I'll do that, thanks for the additional info. I'm removing my commands again then reenter the new one. Hope it will works to me.

Regards,

Jong

Thanks alot JG, it works fine now,

Best Regards,

Jong