The suggestion from Alain will certainly address the part about being prompted for the enable password rather than the user password. But if I understand the original post correctly the real concern is that users on other switches go directly to privilege mode when they login (do not need to use enable command). And this suggestion does not address that aspect.

I would have thought that the "aaa authorization exec vty group tacacs+ if-authenticated" would have taken care of going directly to enable mode. Perhaps the original poster can tell us whether the other switches (that work as expected) have any different aaa authorization commands configured?

HTH

Rick

The other switches have the same aaa statements. If fact I printed out the config from another switch and used that as the template for setting up this switch. It happens to be the first time we have used this model. The only change I made was in how I told the switch to contact the Tacacs server. I used the new tacacs server commands instead of the old tacacs-server command. The new command puts in the same information, it just does it in a different format.

tacacs server ACS

address ipv4 10.0.0.20

key 7 143A1D1E1F5738

single-connection

The ACS is whatever name you decide to use. I think it is only locally significant.

On the acs I did put in both of the ip addresses that the switch could be using to get to the server. The switch has connections to 2 different core switches.

Thanks for the additional information. Would you post the output of the command show tacacs

HTH

Rick

Here is the output:

Tacacs+ Server -  public  :

               Server name: ACS

            Server address: 10.0.0.20

               Server port: 49

              Socket opens:         31

             Socket closes:         31

             Socket aborts:           0

             Socket errors:            0

           Socket Timeouts:         0

   Failed Connect Attempts:      0

        Total Packets Sent:         44

        Total Packets Recv:         37

          Expected Replies:          0

Let me know if you need anything else.

Would you add this line to your configuration and see if it makes any difference?

aaa authorization exec default group tacacs+ if-authenticated

HTH

Rick

That didn't change anything.

Next idea.

Thanks for trying. Next idea is that perhaps running debug aaa authorization (and maybe debug tacacs) might shed some light on this.

HTH

Rick

I converted this into a ticket after I gathered the debug information. I couldn't find anything int the data that would explain the problem. After talking to Cisco support we madde 1 change to my configuration. We removed the single connection statement from the tacacs server ACS section. The man fromo Cisco said that he had seen the single connection statement causing problems. With that statement removed I can log in and be straight at the exec prompt, just where I wanted to be.

Thanks for all of your suggestions.

please share tacacs command for cisco 3850 model

The original post uses these commands for tacacs and indicates that it works

tacacs server ACS

address ipv4 10.0.0.20

key 7 XXXXXXXXXXXXXX

I have this version of the command for a 3850 and it works also

tacacs-server host 192.168.127.6 key <removed>

I would think that either version of the commands should work and the first version might be slightly preferred since it is the new formt.

HTH

Rick