https://community.cisco.com/t5/network-access-control/enable-password-issues-with-acs-5-1/m-p/1536929#M254369 <HTML><HEAD></HEAD><BODY><P>Jesse,</P><P></P><P>That makes perfect sense.&nbsp; And as I thought, I'm kicking myself for not realising it earlier.</P><P></P><P>Thanks alot for your reply.</P><P></P><P>Kind regards,</P><P>Duncan</P></BODY></HTML> Tue, 09 Nov 2010 00:24:27 GMT Duncan Watson 2010-11-09T00:24:27Z https://community.cisco.com/t5/network-access-control/enable-password-issues-with-acs-5-1/m-p/1536927#M254352 <P>Hi,</P><P></P><P>I'm guessing this one will be quite straightforward, but so far I just can't make this work.</P><P></P><P>I have two Tacacs+ accounts- admin (lvl 15) and troubleshoot (lvl 2), with authentication and authorization being performed on the ACS.</P><P></P><P>On the ACS I have configured account-specific login and enable mode passwords.</P><P></P><P>My Cisco device configs are as follows:</P><P></P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authentication login CONSOLE none</P><P>aaa authorization config-commands</P><P>aaa authorization exec default group tacacs+</P><P>aaa authorization commands 2 default group tacacs+</P><P>aaa authorization commands 15 default group tacacs+</P><DIV>!</DIV><DIV><DIV>tacacs-server host x.x.x.x key TACACS</DIV><DIV>tacacs-server directed-request</DIV></DIV><DIV>!</DIV><DIV>enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx</DIV><P></P><P></P><P>When I login as the admin account it works beautifully.&nbsp; I am placed directly into privileged exec mode and have full level 15 access.&nbsp; I confirmed the ACS server is being referenced correctly with both 'debug tacacs' on the switch and Tacacs Authorization reports on the ACS itself.</P><P></P><P>However, when I login as 'troubleshoot', even though I am immediately shown the '#' enable prompt I only have standard user-mode commands.&nbsp; Output from 'debug tacacs' shows that the correct shell profile (lvl 2) has been assigned by the ACS and I'm seeing the relevant command set being referenced in the authorization reports (as per attached screenshot).</P><P></P><P>Once I type 'enable' to move into privileged exec mode, the account has access to all commands permitted by the command set (in other words, it works fine).</P><P></P><P>So in summary, I guess my request is:</P><P>How to get the ACS to place me into 'privileged exec' mode as soon as I login with a level 2 shell profile (rather than having to manually enter this mode)?</P><P></P><P>Many thanks,</P><P>Duncan</P> Mon, 11 Mar 2019 00:33:28 GMT https://community.cisco.com/t5/network-access-control/enable-password-issues-with-acs-5-1/m-p/1536927#M254352 Duncan Watson 2019-03-11T00:33:28Z https://community.cisco.com/t5/network-access-control/enable-password-issues-with-acs-5-1/m-p/1536928#M254356 <HTML><HEAD></HEAD><BODY><P>Duncan,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; If you are going to do command authorization against ACS then you don't need to assign level 2, you will assign level 15 and then all commands are authorized against the ACS to determine if that user is allowed to run that command or not.&nbsp; If you pass level 2 then only commands that are at level 2 or below will be shown to the user.</P><P>--Jesse</P></BODY></HTML> Mon, 08 Nov 2010 20:41:20 GMT https://community.cisco.com/t5/network-access-control/enable-password-issues-with-acs-5-1/m-p/1536928#M254356 jedubois 2010-11-08T20:41:20Z https://community.cisco.com/t5/network-access-control/enable-password-issues-with-acs-5-1/m-p/1536929#M254369 <HTML><HEAD></HEAD><BODY><P>Jesse,</P><P></P><P>That makes perfect sense.&nbsp; And as I thought, I'm kicking myself for not realising it earlier.</P><P></P><P>Thanks alot for your reply.</P><P></P><P>Kind regards,</P><P>Duncan</P></BODY></HTML> Tue, 09 Nov 2010 00:24:27 GMT https://community.cisco.com/t5/network-access-control/enable-password-issues-with-acs-5-1/m-p/1536929#M254369 Duncan Watson 2010-11-09T00:24:27Z