https://community.cisco.com/t5/network-access-control/acs-5-1-device-admin-privilege-assignment/m-p/1864051#M227895 <HTML><HEAD></HEAD><BODY><P>Indeed, a device must have the "<STRONG>aaa authorization exec</STRONG>" command for privilege assignment from ACS to work.</P><P></P><P>In my device, running IOS 12.2(53)SG3, the configuration should be:</P><P></P><P>&nbsp;&nbsp;&nbsp; <STRONG>aaa authorization exec default local group tacacs+<BR /></STRONG></P><P></P><P>That allows the device to try the local enable secret and then TACACS+ authorization.</P></BODY></HTML> Fri, 02 Dec 2011 15:14:19 GMT ww9rivers 2011-12-02T15:14:19Z https://community.cisco.com/t5/network-access-control/acs-5-1-device-admin-privilege-assignment/m-p/1864050#M227894 <P><SPAN>I think I am doing the same thing as described in this document: </SPAN><A href="https://community.cisco.com/document/61691/how-configure-tacacs-authentication-and-authorization-admin-and-non-admin-users-acs" target="_blank">https://supportforums.cisco.com/docs/DOC-16027</A></P><P></P><P>However, my admin user is still being assigned privilege level 1, as shown in <STRONG>AAA Protocol &gt; TACACS+ Authentication Details</STRONG> report.</P><P></P><P>The report seems to show that the user is getting the right shell profile (Selected Shell Profile: Net-Admin -- is the one I setup for this user's group with both Default Privilege and Maximum Privilege set to Static 15). But still not the right privilege (Privilege Level: 1).</P><P></P><P>Also, I found this document via Google:</P><P style="padding-left: 30px;"><A class="jive-link-external-small" href="http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml#t2" target="_blank">http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml#t2</A></P><P></P><P></P><P>The router configuration examples all show this "<STRONG>aaa authorization exec tacacs+|radius local</STRONG>" command, which my device does not have.</P><P></P><P>So I am wondering if I am not reading the ACS report right, or the device actually was assigned the correct privilge but that does not work without the "<STRONG>aaa authorization exec</STRONG>" command in the configuration?</P><P></P><P>Any help would be great! Thanks!</P><P>-- </P><P>Wei</P> Tue, 26 Mar 2019 00:28:30 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-device-admin-privilege-assignment/m-p/1864050#M227894 ww9rivers 2019-03-26T00:28:30Z https://community.cisco.com/t5/network-access-control/acs-5-1-device-admin-privilege-assignment/m-p/1864051#M227895 <HTML><HEAD></HEAD><BODY><P>Indeed, a device must have the "<STRONG>aaa authorization exec</STRONG>" command for privilege assignment from ACS to work.</P><P></P><P>In my device, running IOS 12.2(53)SG3, the configuration should be:</P><P></P><P>&nbsp;&nbsp;&nbsp; <STRONG>aaa authorization exec default local group tacacs+<BR /></STRONG></P><P></P><P>That allows the device to try the local enable secret and then TACACS+ authorization.</P></BODY></HTML> Fri, 02 Dec 2011 15:14:19 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-device-admin-privilege-assignment/m-p/1864051#M227895 ww9rivers 2011-12-02T15:14:19Z