Solved: How to get to enable mode directly with TACACS?

SMD28316 · ‎12-19-2021

My TACACS is working fine but it has a single issue that I'm trying to understand, how can I get the switch to log into exec mode directly after successfully login in to enable mode? My AAA config is like this:

aaa authentication login default group line
aaa authentication login admin local group ISE_ADMIN_TAC line
aaa authorization exec tac-author group ISE_ADMIN_TAC local
aaa authorization commands 0 tac-author group ISE_ADMIN_TAC local
aaa accounting exec default start-stop group ISE_ADMIN_TAC
aaa accounting connection default start-stop group ISE_ADMIN_TAC
aaa accounting commands 15 default start-stop group ISE_ADMIN_TAC
aaa accounting system default start-stop group ISE_ADMIN_TAC
username smdlocal password 0 smdlocal123
!
tacacs server <PSN_IP>
address ipv4 <PSN_IP>
key smdlocal123
tacacs-server directed-request
!
!
aaa group server tacacs+ ISE_ADMIN_TAC
server name <PSN_IP>
ip vrf forwarding mgmt-Vrf
ip tacacs source-interface FastEthernet1
!
!
aaa new-model
aaa session-id common
!
!

And line configuration:

line vty 0 4
  exec-timeout 30 0
  password smdlocal123
  authorization exec tac-author
  login authentication admin
  transport input telnet
  escape-character 16
line vty 5 15
  exec-timeout 30 0
  password smdlocal123
  authorization exec tac-author
  login authentication admin
  transport input telnet
  escape-character 16
!

I keep getting into enable mode and I have to enter into exec mode manually, why?

Arne Bier · ‎12-20-2021

What privilege level are you returning for the user that needs to go straight to enable If you return Min=15 and Max=15 then the user will go directly to enable mode

View solution in original post

Arne Bier · ‎12-20-2021

What privilege level are you returning for the user that needs to go straight to enable If you return Min=15 and Max=15 then the user will go directly to enable mode