https://community.cisco.com/t5/network-access-control/asa-8-2-3-can-t-quot-enable-quot-tacacs-acs4-2-user-with/m-p/1673975#M238530 <HTML><HEAD></HEAD><BODY><P>Set the Enable Options in the grp to</P><P>Max Priv for any AAA Client</P><P>to</P><P>Level 15</P><P>this will allow enable and also limit your shell options to 10 and the command set you created</P></BODY></HTML> Mon, 02 May 2011 12:05:16 GMT Calvin Ryver 2011-05-02T12:05:16Z https://community.cisco.com/t5/network-access-control/asa-8-2-3-can-t-quot-enable-quot-tacacs-acs4-2-user-with/m-p/1673974#M238528 <P>I can't seem to enable in ASA with a non-15 privilege level user configured in ACS 4.2 (tacacs).</P><P></P><P>When I enable in IOS device, it enables and "show privilege" shows level 10 as expected. ACS should be configured correctly as it works fine with IOS. User is not set with explicit settings. Group is set with "max enable level" 15 and "shell exec priv level" 15. The enable password is set to the internal ACS PAP password. Works fine in IOS.</P><P></P><P>When I enable in ASA, it fails to enable, and ACS log says "Tacacs+ enable privilege too low". I suspect that ASA tries to enable into level 15 explicitely. If I try to issue "enable 10" command in ASA it says: </P><P></P><P></P><P><STRONG>Enabling to privilege levels is not allowed when configured for</STRONG></P><P><STRONG>AAA authentication. Use 'enable' only.</STRONG></P><P></P><P></P><P>My config (only showing relevant commands):</P><P></P><P></P><P></P><P><STRONG>aaa authentication telnet console mmsacs01 LOCAL</STRONG></P><P><STRONG>aaa authentication enable console mmsacs01 LOCAL</STRONG></P><P><STRONG>aaa authorization command mmsacs01 LOCAL</STRONG></P><P><STRONG>aaa authorization exec authentication-server</STRONG></P><P></P><P></P><P></P><P></P><P>Thanks!</P> Mon, 11 Mar 2019 01:02:39 GMT https://community.cisco.com/t5/network-access-control/asa-8-2-3-can-t-quot-enable-quot-tacacs-acs4-2-user-with/m-p/1673974#M238528 Roman Rodichev 2019-03-11T01:02:39Z https://community.cisco.com/t5/network-access-control/asa-8-2-3-can-t-quot-enable-quot-tacacs-acs4-2-user-with/m-p/1673975#M238530 <HTML><HEAD></HEAD><BODY><P>Set the Enable Options in the grp to</P><P>Max Priv for any AAA Client</P><P>to</P><P>Level 15</P><P>this will allow enable and also limit your shell options to 10 and the command set you created</P></BODY></HTML> Mon, 02 May 2011 12:05:16 GMT https://community.cisco.com/t5/network-access-control/asa-8-2-3-can-t-quot-enable-quot-tacacs-acs4-2-user-with/m-p/1673975#M238530 Calvin Ryver 2011-05-02T12:05:16Z https://community.cisco.com/t5/network-access-control/asa-8-2-3-can-t-quot-enable-quot-tacacs-acs4-2-user-with/m-p/1673976#M238532 <HTML><HEAD></HEAD><BODY><P>That was it! Thanks a lot!</P><P></P><P>Roman</P></BODY></HTML> Tue, 03 May 2011 03:00:17 GMT https://community.cisco.com/t5/network-access-control/asa-8-2-3-can-t-quot-enable-quot-tacacs-acs4-2-user-with/m-p/1673976#M238532 Roman Rodichev 2011-05-03T03:00:17Z