I have a CSS 11506 (7.40.1.03)configured as a TACACS client with:

virtual authentication primary tacacs

virtual authentication secondary local

tacacs-server key <our key>

tacacs-server frequency 0

tacacs-server <ip addr> 49 primary frequency 0

tacacs-server <ip addr> 49 frequency 0

tacacs-server account config

(no tacacs-server authorize config)

Whenever any TACACS user telnets or ssh's and logs into the CSS, they are connected in "privileged" mode ("#" prompt), no matter what their TACACS profile may be. Our ACS system is not set up for authorization, and works fine on all our other routers and switches.

I would expect the user to be in "user" (non-privileged) mode when they connect. Am I missing something?

CSS11506# sho tacacs-server

Per-Server Status:

IP/Port State Primary Authen. Author. Account

------- ----- ------- ------- ------- ------

<ip addr>:49 Alive Yes 9 0 5

<ip addr>:49 Alive No 0 0 0

Totals: 9 0 5

Per-Server Configuration:

IP/Port Key Server Timeout Server Frequency

------- --- -------------- ----------------

<ip addr>:49 Not Configured None 0

<ip addr>:49 Not Configured None 0

Global Configuration Parameters:

Global Timeout: 5

Global KAL Frequency: 0

Global Key: Configured

Authorize Config Commands: No

Authorize Non-Config Commands: No

Account Config Commands: Yes

Account Non-Config Commands: No

Send Full Command: Yes