I'm guessing this one will be quite straightforward, but so far I just can't make this work.
I have two Tacacs+ accounts- admin (lvl 15) and troubleshoot (lvl 2), with authentication and authorization being performed on the ACS.
On the ACS I have configured account-specific login and enable mode passwords.
My Cisco device configs are as follows:
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE none
aaa authorization config-commands
aaa authorization exec default group tacacs+
aaa authorization commands 2 default group tacacs+
aaa authorization commands 15 default group tacacs+
When I login as the admin account it works beautifully. I am placed directly into privileged exec mode and have full level 15 access. I confirmed the ACS server is being referenced correctly with both 'debug tacacs' on the switch and Tacacs Authorization reports on the ACS itself.
However, when I login as 'troubleshoot', even though I am immediately shown the '#' enable prompt I only have standard user-mode commands. Output from 'debug tacacs' shows that the correct shell profile (lvl 2) has been assigned by the ACS and I'm seeing the relevant command set being referenced in the authorization reports (as per attached screenshot).
Once I type 'enable' to move into privileged exec mode, the account has access to all commands permitted by the command set (in other words, it works fine).
So in summary, I guess my request is:
How to get the ACS to place me into 'privileged exec' mode as soon as I login with a level 2 shell profile (rather than having to manually enter this mode)?
If you are going to do command authorization against ACS then you don't need to assign level 2, you will assign level 15 and then all commands are authorized against the ACS to determine if that user is allowed to run that command or not. If you pass level 2 then only commands that are at level 2 or below will be shown to the user.
That makes perfect sense. And as I thought, I'm kicking myself for not realising it earlier.
Thanks alot for your reply.