Users created in an AAA server are given the lowest level of access, Level 1, by default. With this privilege level, users can access read-only information pages from the Access Point (AP) user interface. Options that require read-write access pages prompt you for Level 15 access.
In order to disable the Level 15 Username and Password prompt, configure the group or user settings on the Cisco Secure ACS for Windows server to grant Level 15 access the first time the user logs in.
In order to provide Level 15 access to users for admin authentication, issue the shell:priv-lvl=15 command under Cisco IOS /PIX Firewall RADIUS Attributes. You can configure Cisco IOS/PIX RADIUS Attributes under the Group Setup section for the user group on the AAA server.
Similarly we can use the same informaiton on Cisco IOS routers as well. Here is the Configuration Example :-
The with default keyword authorization will get applied on all the lines i.e. CONSOLE, VTY, AUX. In case you want it for users who are trying to login to via ssh or telnet use the following:
router(config)#aaa authorization exec Cisco group radius local router(config)#line vty 0 15 router(config-line)#authorization exec Cisco
On Cisco Secure ACS:-
Checkuser & group for cisco av-pair.
User setup à cisco ios/pix 6.x radius attributes àcisco av-pair [ shell:priv-lvl=15]
Group setup à ios/pix 6.x radius attributes à shell:priv-lvl=15
In case of radius if exec authorization is enabledand if have not specified any privilege level in the ACS server. Then user will fall under the privilege level 1 and if enable authentication is enabledor enable password is definedon the router then we can go to enable mode by typing en or en <priv-lvl>