Scenario:

ACS 5.3 configured with two rules, 1 rule for standard level 15 access for the Network Engineers and a 2nd rule to allow some limited access to switches: The limited access account has enough command set access to change the vlan on a switchport, so Configure Terminal, Interface FAx/x and switchport access vlan x.

Switch configuration:     

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa session-id common

Everything works well and the limited access users can only perform the commands i've setup.

Problem:

The problem i've encountered is when one of the network engineers makes a change that would stop the device from being able to see the ACS server it stops allowing any commands to be typed in the router/switch. Additionally if you then connect to the device and login with the local username and password the device then waits for it to hit the TACACS server timeout for every command you enter. This is obviously very slow and painful for the engineer.

Question:

Is there a way to set this up so the engineer logging in with full Level 15 access doesn't have to have each command authorized by the ACS server but still allow the limited access accounts to be able to make interface changes?