Hi, I tried searching this forum, and did not find information specific to my situation, but I apologize if this has previously been addressed.

What I am looking to do:

Local user configured on switch (Admin) should be placed into Exec mode upon initial login, and then have to type "Enable" and put in Enable password to get into Enable mode.

I have a Secure ACS server, integrated into Win2k3 Active Directory database. This works fine for authenticating users via their Domain Account.

I will create 2 AD groups, one for unrestricted access to the devices, and one for restricted access for certain users, and set the privilege levels per group in the ACS server. I'm not too worried about this.

My question is, how do I set it so that the local user authentication goes into Exec mode (not to Enable mode), yet users in the Unrestricted AD/ACS group go directly into Enable mode, and users in the Restricted group go into Exec mode?

One more note, I am looking to implement this on 20+ switches, each have different passwords assigned.

Current config:

aaa new-model

aaa authentication login default group tacacs+ local

username admin password 7 xxxxxxx

Thanks in advance for your help. If you need any more information, please let me know!

Scott