Configure your higher level group that is allowed to access config mode with privilege level 15. Then turn on command authorization for privilege level 15 users. It is a good idea to create a local account with privilege level 15 as a backup in case there is a connection issue between CS and the devices.
aaa authentication login default tacacs+ local
aaa authorization exec default tacacs+ local if-authenticated
aaa authorization commands 15 default tacacs+ local if-authenticated
username foo privilege 15 password bar
Since config is a privilege level 15 command by default, all groups without this privilege will not be allowed this command. The group you assign priv 15 to will be taken into config mode by default as part of exec authorization.
If your connection CSNT goes down or you receive an ERROR during negotiation for issues like a mismatched key, then you will go to the local account.
After trying few things, I was still having problems... but was able to get all of it working...
right now I have given ReadOnly users privilege 15, and under "Shell Command Authorization Set" I could only get it to work with "Per Group Command Authorization" and Permit "Unmatched Cisco IOS commands" then under command I put "configure" w/ unlisted arguments as Deny. I did the same for "Copy" and "write" now the users can't do "Config T" or "copy ..." or "write" commands....
What I want to do is put all of these commands in a group, and then apply them to this group.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...