I have applied the below config to my CSS:-
virtual authentication primary tacacs
virtual authentication secondary local
tacacs-server key spire_tacacs
tacacs-server account config
tacacs-server x.x.x.x 49 primary
tacacs-server authorize config
Everything works with regards to authentication back to the ACS. Problem is when I create a new user and group with a specific command set, the CSS fails and in the log of the ACS under failed attempts it says that author failed with command denied (service=shell cmd=privilege).
The same command set works with a Cisco 4500/6500/7200 (you get the idea), but not the CSS. The only way it works is if you permit all commands which is not what I need.
Has anyone got any idea's on this?