I 've been trying to figure this out for a few days and maybe you guys can help me out. I'm trying to get more familiar with AAA and this what I'm trying to accomplish.
-I have a cisco switch and I also have ACS 4.2 running on windows 2003 and that's authenticating with a 2003 active directory server which is working ok.
-Level 1 group that can only run those user level commands and they should not go into enable or configuration terminal
-Level 15 group has access to everything.
-Level 1 and Level 15 groups are expecting to login with the AD credentials at first which drops them into user mode.
-Only level 15 group should be able to go into enable mode.
-I want specify the "Enable" password within TACACS and not use the "enable password" command in the IOS.
-I don't want to use local usernames and passwords except for a backway to get in.
I tried to configure the "Max privilege for any client" to level 1 or 15 per group but that doesn't seem to work.
This is bascially what I have so far.
aaa new-model
aaa authentication login default group tacacs+ local
username admin privilege 15 password 0 xxxx
Can you guy tell me what I'm missing?