https://community.cisco.com/t5/network-access-control/about-tacacs-privilege-level/m-p/4905194#M583434 <P>&nbsp;</P> <P>&nbsp;- FYI :&nbsp;<A href="https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13860-PRIV.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13860-PRIV.html</A></P> <P>&nbsp;M.</P> Tue, 15 Aug 2023 07:41:14 GMT Mark Elsen 2023-08-15T07:41:14Z https://community.cisco.com/t5/network-access-control/about-tacacs-privilege-level/m-p/4905192#M583433 <P>I applied the configuration below to the router.</P><P>And when i connect to the router, it is authenticated by Tacas and immediately connects to level 15.</P><P>I want to start with level 1 and want to login level 15 by using enable command. which config should I fix?</P><P>aaa group server tacacs+ A</P><P>&nbsp;server name x.x.x.x</P><P>&nbsp;ip vrf forwarding mgmt-intf</P><P>&nbsp;ip tacacs source-interface GigabitEthernet0</P><P>&nbsp;</P><P>aaa authentication login default group A local</P><P>aaa authentication enable default group A enable</P><P>aaa authorization exec default group A local</P><P>&nbsp;</P><P>aaa authorization commands 15 default group A local</P><P>&nbsp;</P><P>aaa accounting exec A start-stop group A</P><P>aaa accounting network A start-stop group A</P><P>&nbsp;</P><P>aaa accounting commands 0 default start-stop group A</P><P>aaa accounting commands 1 default start-stop group A</P><P>aaa accounting commands 5 default start-stop group A</P><P>aaa accounting commands 15 default start-stop group A</P><P>&nbsp;</P><P>tacacs-server directed-request</P><P>tacacs server x</P><P>&nbsp;address ipv4 x.x.x.x</P><P>&nbsp;key xxxx</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 15 Aug 2023 07:34:41 GMT https://community.cisco.com/t5/network-access-control/about-tacacs-privilege-level/m-p/4905192#M583433 tjdwns4111 2023-08-15T07:34:41Z https://community.cisco.com/t5/network-access-control/about-tacacs-privilege-level/m-p/4905194#M583434 <P>&nbsp;</P> <P>&nbsp;- FYI :&nbsp;<A href="https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13860-PRIV.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13860-PRIV.html</A></P> <P>&nbsp;M.</P> Tue, 15 Aug 2023 07:41:14 GMT https://community.cisco.com/t5/network-access-control/about-tacacs-privilege-level/m-p/4905194#M583434 Mark Elsen 2023-08-15T07:41:14Z https://community.cisco.com/t5/network-access-control/about-tacacs-privilege-level/m-p/4905242#M583437 <P>Hello <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1512569">@tjdwns4111</a>,</P><P>Please remove the 'aaa authorization commands 15 default group A local' line, since you want to start with level 1.<BR /><BR />Also, update the 'aaa authorization exec default group A local' line to include the if-authenticated keyword:<BR /><!-- /data/user/0/com.samsung.android.app.notes/files/clipdata/clipdata_bodytext_230815_120955_715.sdocx --></P><P>aaa authorization exec default group A if-authenticated</P><P>&nbsp;</P> Tue, 15 Aug 2023 10:11:46 GMT https://community.cisco.com/t5/network-access-control/about-tacacs-privilege-level/m-p/4905242#M583437 M02@rt37 2023-08-15T10:11:46Z