I am using ACS 5.8 version.
1. I can login to IOS device using tacacs local account and local privilege password, ButI have to enter "enable" command to get vty prompt. -> How can i directly goto global config mode ?
2. I have AD setup too, and it is behaving same way. I can login to exec mode, but I cant login to device in global config mode.
Cisco Secure ACS
|Policy Elements >||... >||Authorization and Permissions >||Device Administration >||Shell Profiles >||Edit: "PRIV_15" => value=15|
aaa group server tacacs+ <grp name>
aaa authentication login default group <grp name> local
aaa authentication login console enable
aaa authentication enable default group <grp name> enable
aaa accounting exec default start-stop group tacacs+ group <grp name>
aaa accounting network default start-stop group tacacs+ group <grp name>
aaa authorization exec default group <grp name> none
aaa authorization commands 1 default group <grp name> none
aaa authorization commands 15 default group <grp name> none
> IOS device
> I directly want to login in global config more.(using both local and AD account)
Remove the "aaa authentication enable" and that should take care of the problem for you. After you remove this command the privilege defined in the TACACS+ server will be used. The user should be dropped immediately in the "#" mode since you are pushing Privilege Level 15.
Thank you for rating helpful posts!