If you are using TACACS ,
Bring users/groups in at level needed
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter " priv "(1 to 15) in the adjacent field
If you are using RADIUS,
aaa authentication login default group radius local
aaa authorization exec default group radius local
radius-server host X.X.X.X key XXXX
Following is the configuration required in the Radius Server
The AV pair in the ACS -->group setup--> IETF RADIUS Attributes
 Service-Type = Login
/* Following is for getting the user straight in privledge mode */ to set priv 15
The AV pair in Cisco IOS/PIX RADIUS Attributes
[009\001] cisco-av-pair = shell:priv-lvl=15
For more information on above commands, please refer to the following link :-
Please try the above and let me know if this helps.
Make sure that you have,
aaa authorization exec default group radius....
aaa authorization exec default group tacacs....
or something similar EXEC authorization command in your configuration along with authentication.
I did and it works. I just get the following message though:
AAA/Author: config command authorization not enabled
as soon as I enter it. Following is the list of commands I have on the Switch. This is a test switch for ACS. Let me know if anything is amiss.
aaa authentication login NO_AUTH none
aaa authentication login RADIUS line
aaa authentication login LOC_AUTH group radius line
aaa authentication enable default enable
aaa authorization exec default group tacacs+
aaa accounting send stop-record authentication failure
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
Nice to know that.
Please add one more command
aaa authorization config-commands
It should fix it.
Note: If that answers your question, then please mark this thread as resolved, so that others can benefit from it.
A MAJOR problem. Upon executing the two commands:
aaa author exec def group tacacs+ none..I can no longer goto priv mode from my console connection. The workaround that I have created two sets of authorization execs:
aaa authorization exec NO_AUTH none
aaa authorization exec TAC_AUTH group tacacs+ none
Applied NO_AUTH to console
applied LOC_AUTH to vty.
Obviously, when you proposed the use of aaa authorization exec def group tacacs+, you did not intend the user to be unable to login to console port. So what would be the course in that case. In addition, is my solution 'best practices' or not.
Authorization is not enabled on console by default, and no matter which authorization method list you apply on console it wont take effect.
Untill you specify "aaa authorization console" command, its a hidden command.
Dont do it, as it will enable command authorization to be applied on console as well. If you want to keep console apart from command authorization, then dont specify the command. If you want console to work the way telnet/ssh does, then yes go for it.
As far as your issue goes,
you have "aaa authentication enable default enable"
Then you must be landing,
Make sure that you have enable password configured on switch, and you are using the same enable password.