Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Inconsistent privilege levels in accounting logs ACS 5.2

Hi all,

Please see the screenshots. The "user_jagvillanueva" file shows TACACS+ Accounting logs. Same user has privilege level 15 and sometimes 1.

The problem is that where does that "privilege level 1" come from??

This problem occurs in all the users.

The user has privilege level 15 tied to its username (other attributes).

In my Access Policies it also gives the user a shell profile with default privilege level 15.

All devices have the same baseline config:

aaa new-model

aaa authentication login LAN group tacacs+ local

aaa authorization exec LAN group tacacs+ local if-authenticated

aaa authorization commands 7 LAN group tacacs+ local

aaa authorization commands 15 LAN group tacacs+ local

aaa accounting exec LAN start-stop group tacacs+

aaa accounting commands 7 LAN start-stop group tacacs+

aaa accounting commands 15 LAN start-stop group tacacs+

line vty 0 4

access-class 20 in

exec-timeout 5 0

password 7 <removed>

authorization commands 7 LAN

authorization commands 15 LAN

authorization exec LAN

accounting commands 7 LAN

accounting commands 15 LAN

accounting exec LAN

login authentication LAN

transport input ssh

I have patched it with the latest.

AAA works fine, users authenticate properly and granted correct permissions. It's just in the logs the displayed privilege levels is incorrect.

Please see the other two screenshots. They show the details of one accounting log where the user entered ping command, displays priv level 1 but the attribute says priv level 15.

Many thanks in advance!!!

Content for Community-Ad