Hi,
I'm guessing this one will be quite straightforward, but so far I just can't make this work.
I have two Tacacs+ accounts- admin (lvl 15) and troubleshoot (lvl 2), with authentication and authorization being performed on the ACS.
On the ACS I have configured account-specific login and enable mode passwords.
My Cisco device configs are as follows:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE none
aaa authorization config-commands
aaa authorization exec default group tacacs+
aaa authorization commands 2 default group tacacs+
aaa authorization commands 15 default group tacacs+
!
tacacs-server host x.x.x.x key TACACS
tacacs-server directed-request
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
When I login as the admin account it works beautifully. I am placed directly into privileged exec mode and have full level 15 access. I confirmed the ACS server is being referenced correctly with both 'debug tacacs' on the switch and Tacacs Authorization reports on the ACS itself.
However, when I login as 'troubleshoot', even though I am immediately shown the '#' enable prompt I only have standard user-mode commands. Output from 'debug tacacs' shows that the correct shell profile (lvl 2) has been assigned by the ACS and I'm seeing the relevant command set being referenced in the authorization reports (as per attached screenshot).
Once I type 'enable' to move into privileged exec mode, the account has access to all commands permitted by the command set (in other words, it works fine).
So in summary, I guess my request is:
How to get the ACS to place me into 'privileged exec' mode as soon as I login with a level 2 shell profile (rather than having to manually enter this mode)?
Many thanks,
Duncan
