I've been trying to set up a read-only group that allows certain users to login at privilege level3 and issue several commands, i.e.; show run. The user group in the ACS is correct and here are the configure lines in the device:
aaa authorization config-commands
aaa authorization exec default group tacacs+ local none
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 3 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
When a user with level priv 15 logs in authorization works fine. The debug messages show authorization requests going to the ACS and the appropriate responses are returned. However, when a level 3 users logs in, authorization for those commands that user has access to, show run fails. I noted that the device did not send any request to ACS.
Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.
Note : Have priv 15 does not mean that user will able to issue all commands.
We will set up command authorization on acs to have control on users.
Please see this link,
Do rate helpful posts