I know I am asking for a lot but is this what you were talking about? I have tried "authorization exec default" and several other combinations to no avail. Very weird issue as I know the RADIUS server is configured correctly as it works for SSH and other services.

Hi sorry to mislead you. No logging in through radius works perfectly! The issue is when I set a user to a lower permission level say privilege 1. It is not followed when I log in via console instead it lets that account be as high in privilege as it wants to be. I will try your solution tomorrow when I am in the office and let you know. Thank you for all your help!

Yeah, I have tried what you suggested. Actually removed and readded radius to see to no avail the version of the OS is: 

Cisco IOS XE Software, Version 17.06.03
Cisco IOS Software [Bengaluru], IE3x00 Switch Software (IE3x00-UNIVE RSALK9-M), Version 17.6.3, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2022 by Cisco Systems, Inc.
Compiled Wed 30-Mar-22 22:21 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2022 by cisco Systems, Inc .
All rights reserved. Certain components of Cisco IOS-XE software ar e
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that c omes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify suc h
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE softw are,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON
BOOTLDR: Version 7.1.14 [RELEASE SOFTWARE] crashkernel=64M
switch2-ie3000 uptime is 15 minutes
Uptime for this control processor is 16 minutes
System returned to ROM by Reload Command at 13:11:49 UTC Tue Jul 2 2 024
System image file is "flash:ie3x00-universalk9.17.06.03.SPA.bin"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to Unite d
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryptio n.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product y ou
agree to comply with applicable laws and regulations. If you are una ble
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Technology Package License Information:

-------------------------------------------------------------------- ----------
Technology-package Technology-pa ckage
Current Type Next reboo t
-------------------------------------------------------------------- ----------
network-essentials Smart License network-ess entials
None Subscription Smart License None

Smart Licensing Status: Registration Not Applicable/Not Applicable

cisco IE-3300-8T2S (ARM) processor (revision V06) with 883739K/6147K bytes of memory.
Processor board ID FCW2743Y639
2 Virtual Ethernet interfaces
10 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3952288K bytes of physical memory.
523264K bytes of crashinfo at crashinfo:.
1684480K bytes of Flash at flash:.
3883008K bytes of sdflash at sdflash:.

Base Ethernet MAC Address : e8:0a:b9:d4:ff:60
Motherboard Assembly Number : 73-101289-11
Motherboard Serial Number : FOC27422QSU
Model Revision Number : V06
Motherboard Revision Number : B
Model Number : IE-3300-8T2S
System Serial Number : FCW2743Y639
Top Assembly Part Number : 68-101630-06
Top Assembly Revision Number : C0
System FPGA version : 0.89.2
CIP Serial Number : 0xF2D4FF60
SKU Brand Name : Cisco

Configuration register is 0x102

Sorry to hear that it is still not working. We do not have any details of what you configured and that makes it difficult to know what the issue is. As a starting point can you post the output of these commands:

show run | section aaa

show run | begin line con

My apologies for not giving enough information. I really do appreciate Richard and MHM for all of your help! The configs maybe slightly different as I was trying all of your ideas. 

IE 2000: 

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa session-id common
ip http authentication aaa
switch1-ie2000#
switch1-ie2000#show run | begin line con
line con 0
line vty 0 4
transport input ssh
line vty 5 15
!
ntp server 192.168.14.153 prefer
ntp server 216.239.35.12
ntp server ip time-pnp.cisco.com
!
!
!
!
!
!
!
end

IE3000:

line con 0
authorization exec AD
login authentication AD
stopbits 1
line aux 0
line vty 0 4
length 0
transport input ssh
line vty 5 15
transport input ssh
!
ntp server time.google.com
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
!
end

Fri Jul 05 2024 11:40:13 GMT-0400 (Eastern Daylight Time)
===================================================================================
#show run | section aaa
aaa new-model
aaa authentication login AD group radius local
aaa authorization console
aaa authorization exec AD group radius
aaa session-id common

Thanks for the additional information. This shows that IE3000 does have the configuration for authorization on the console but the IE2000 does not. Does it work on IE3000?

On the IE3000 the authentication via RADIUS works perfectly. Still, when I log in with a user that is only supposed to have show command privileges or low-level privileges it just lets the user go into enable and config t mode.

I am still a bit puzzled about this situation. Are you saying that a particular user ID can access the console of other devices and is limited in what they can do. But that same user ID can access the console  of IE3000 get into config t mode?

aaa authorization console <<- I see you add it that OK

for IE3000 did you try access via console not it must use prvi as you config in radius server 

did you try?

MHM

Friend I dont try before and I always recommend use privilege 15 under console but for your info 

I check your case the solution is using 

Aaa authorization console <- this hidden command i.e. when you do ? You dont see it becuase as I mention console must be last point to access device.

Note please dont wr config until you so so sure you can access and apply command via both vty and console.

Please please be careful.

Thanks 

MHM

That's the issue Telnet and SSH both work correctly.