It seems this topic has been covered plenty already, but I just thought I would share my experience getting tacacs+ authentication working with enable mode(privilege level 15) for our ASA5550. Probalby unique to my setup, but perhaps this can help anyone else who comes across this problem
Before I begin I would like to say I found the Cisco documentation some what confusing - http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/start.html
Anyway to give some background we use tacacs+ for telnet(auth/accounting) with existing cisco routers/switches. If specified in tacacs.conf a user can log on to a device with full enable access without having to first escalate privileges. I just expected the ASA would support this. This is not the case as I discovered from this thread- http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cc21a1e/0#selected_message "...The ASA/PIX doesn't do "exec" authorization like a router does, to put you straight into privilege level 15..."
In the tacacs.conf file on your tacacs+ server make sure you create a user called $enab15$. This is in addition to your individual user accounts. This is a global "enable" user that is used to authenticate escalating to enable privilege mode for any user in tacacs.conf.
Here is the config I'm using that works
** ASA5550 **
aaa-server MNGT-TAC protocol tacacs+
aaa-server MNGT-TAC (mngt0_0_management_int) host 192.168.66.2
key cisco
aaa authentication telnet console MNGT-TAC LOCAL
aaa authentication enable console MNGT-TAC LOCAL
aaa accounting telnet console MNGT-TAC
aaa accounting enable console MNGT-TAC
aaa accounting command MNGT-TAC
!
telnet 192.168.66.1 255.255.255.255 mngt0_0_management_int
** TACACS server /etc/tac-plus/tacacs.conf **
accounting file = /var/log/tac-plus/account
key = cisco # comment while debug
## Global enable password
user = $enab15$ {
login = des cs23Dsd2bslz # use DES encryption
}
user = asa-test {
service = exec {
default attribute = permit
priv-lvl = 15
}
login = des bs2Apbk0xCT0D
}