After going through some topics and trying everything I could fine I am relaying on you all to help me further.
I have an Switch and have an AAA configured for login via ACS with AD account. All works fine via Telnet, but connected to the console, I always get to not enable prompt.
I have a local user name and password on the device itself. Which I can use to login through the telnet option, and it brings me straight into enable mode. But using this account with the console it brings me to priv level 1. When typing ENABLE I can specify the password that belongs to this local account but it is not excepted. Instead I get:
% Error in authentication.
Pasted below you can find my current config regarding the login methods:
aaa authentication fail-message ^C
User Authentication has failed. If you are not an authorized user,
please disconnect immediately.
Any unauthorized access attempts will be investigated and will be
subject to prosecution under local laws and ordinances.
aaa authentication login default group tacacs+ local
aaa authentication login console group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization commands 15 console group tacacs+ local
aaa authorization network default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
There are a couple of aspects of your situation which I am puzzled about. Your post talks about logging in and seems to indicate that you are logging in using a local account. But the config is quite clear that TACACS is the primary authentication method. Is the TACACS server running and is the router using TACACS?
If the TACACS server is running and is communicating with the router, I am guessing that the local user ID is also a user ID that is configured in TACACS. This would explain why authentication would work. Can you clarify this? And if this is the case I would guess that the user ID is not configured in TACACS to have enable mode access.
On the possibility that the router is not communicating with the TACACS server I would suggest that you try using the enable secret (or enable password - which ever you have configured) rather than the user password at the prompt for enable mode.
The other part of your question is more clear. Your question says that when you login through vty you go straight to enable mode but on the console you go to privilege level 1. This is intentional behavior on the router. Going straight into enable mode is a function of authorization (in addition to authentication). And by default Cisco does this for vty and does not do this for the console (the danger of locking yourself out of the router if something is misconfigured is significant). If you are confident of the configuration and want to go directly into enable mode on the console you can use this (hidden) command under line con 0:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...