Please forgive me  if I don't explain this as clearly as I'm trying to. 

I'm trying to setup local usernames with specific privilege levels that will ONLY work on the console port.  We currently have our ACS server setup and we have usernames there that give us level-15 privileges as soon as we login through SSH.  I have to get rid of the one local username/password we use one our switches when we are on-site working a closet and create user-specific local logins.  

Here is the config on the switch that I am testing:

aaa authentication login default group tacacs+

aaa authentication login console local

aaa authorization exec default group tacacs+

aaa authorization commands 15 default group tacacs+

aaa authorization network default local group tacacs+

username test privilege 0 password cisco

username test2 privilege 1 password cisco

username test3 privilege 15 password cisco

line con 0

login authentication console

line vty 0 4

transport input ssh

line vty 0 5

transport input ssh

**The problem I am running into at the moment is that the privilege levels aren't sticking.  When I enter the privilege level for "test2" which is 1, it automatically reverts to 0.  If I do a show run it will show user "test2" with privilege 0.  Currently in the above setup, if I enter "enable" all the test users get privilege level 15.  I don't want to have the console port authenticate to ACS server because sometimes if the switch gets discoed from the network, local login is a no-go. 

Bottom-line:

-Keep ACS authentication on Line VTY lines

-Add Local-login on Console port.  With users with only privilege-15 being able to enter Privilege EXEC Mode.