Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

TACACS default priv exec level


I'm testing the new ACS 4.0 for some feature like .1x.

For the authentication I use a linux box with tacacs+ and all works fine.

I try the tacacs coming from ACS but I don't understand why my account don't go to # lvl 15 priv but I need to insert the enable command.

On ACS my account is lvl 15 and this is my configuration on the test switch:

aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default wait-start group tacacs+

aaa accounting system default wait-start group tacacs+

Could some one help me?

thanks you,


Community Member

Re: TACACS default priv exec level

You'll need to ensure that the tacacs server is actually passing back the privilege level for Shell Exec. Make sure that your privilege configuration is for the TACACS+ Settings > Shell (exec) settings, not the max enable privilege.

You can also verify whether or not ACS is actually sending the privilege for shell exec if you turn on "debug tacacs". It should look something like...

Jul 28 09:25:02.157: TPLUS: Sending AV service=shell

Jul 28 09:25:02.157: TPLUS: Sending AV cmd*

Jul 28 09:25:02.157: TPLUS: Authorization request created for 4(annie)

Jul 28 09:25:02.157: TPLUS: using previously set server from group tacacs+


Jul 28 09:25:02.173: TPLUS(00000004)/0/8370E638: Processing the reply packet

Jul 28 09:25:02.173: TPLUS: Processed AV priv-lvl=15

Jul 28 09:25:02.173: TPLUS: received authorization response for 4: PASS



CreatePlease to create content