https://community.cisco.com/t5/network-access-control/aaa/m-p/1686221#M249003 <P>ACS v5.1</P><P></P><P>I want to stop NON-ADMIN staff(service desk) from being able to execute the enable command on a router once authenticated.</P><P></P><P>TACACS authenticates users against AD.</P><P>Shell profile set for NON-ADMIN set to Default privilege Level 1.</P><P>Command Set for NON-ADMIN set to deny enable.</P><P></P><P>User ssh to device, gets authenticated.</P><P>Is able to execute enable command and use the enable secret to gain Priv15.</P><P></P><P>What am i doing wrong?What have i missed?</P><P></P><P>Regards</P> Mon, 11 Mar 2019 00:58:42 GMT Net Support 2019-03-11T00:58:42Z https://community.cisco.com/t5/network-access-control/aaa/m-p/1686221#M249003 <P>ACS v5.1</P><P></P><P>I want to stop NON-ADMIN staff(service desk) from being able to execute the enable command on a router once authenticated.</P><P></P><P>TACACS authenticates users against AD.</P><P>Shell profile set for NON-ADMIN set to Default privilege Level 1.</P><P>Command Set for NON-ADMIN set to deny enable.</P><P></P><P>User ssh to device, gets authenticated.</P><P>Is able to execute enable command and use the enable secret to gain Priv15.</P><P></P><P>What am i doing wrong?What have i missed?</P><P></P><P>Regards</P> Mon, 11 Mar 2019 00:58:42 GMT https://community.cisco.com/t5/network-access-control/aaa/m-p/1686221#M249003 Net Support 2019-03-11T00:58:42Z https://community.cisco.com/t5/network-access-control/aaa/m-p/1686222#M249012 <HTML><HEAD></HEAD><BODY><P>For those users that you do not want to have privilege level above 1 set the max privilege to 1 (either per-user or per-group).</P></BODY></HTML> Mon, 11 Apr 2011 14:13:17 GMT https://community.cisco.com/t5/network-access-control/aaa/m-p/1686222#M249012 Javier Henderson 2011-04-11T14:13:17Z