Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.


TACACs+ commands not dropping me into enable mode

Hi All,

I've just comfigured the following on a router running IOS 15. All my other devices are running the old tacacs commands but thought I'd try the new CLI version.
It works, e.g get prompted for username/password and authenticates against our AD Server (integrated with ACS4.2). I get into the router but into usermode.

My other devices drop me straight into Priv Mode. Only difference is the the new commands v the old commands but I can't see anything that is different in relation to putting me into Priv mode.

Any ideas?

aaa group server tacacs+ ABC_ACS

server name ABC_TAC

tacacs server ABC_TAC

address ipv4

key secretkey

aaa authentication login ACS_List group ABC_ACS line

aaa authorization exec ACS_List group ABC_ACS if-authenticated

aaa accounting exec ACS_List start-stop group ABC_ACS

aaa accounting commands 15 ACS_List start-stop group ABC_ACS


line vty 0 4

password test

authorization exec ACS_List

accounting commands 15 ACS_List

accounting exec ACS_List

login authentication ACS_List

length 0

transport input ssh


Make sure you defined the

Make sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.

If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule