if I followed the guide, but I continue with the same error I can only authenticate with the user of privilege 15 but with the user of privigelio 1.7 no, he still does not accept the password of the enable.

aaa new-model

!

!

aaa group server tacacs+ DemoISE

server 11.22.33.44

!

aaa authentication login default group DemoISE local

aaa authorization config-commands

aaa authorization exec default group DemoISE local

aaa authorization exec EXEC group DemoISE local

!

tacacs-server host 11.22.33.44

tacacs-server directed-request

tacacs-server key 7 20D88951F

!

line con 0

logging synchronous

stopbits 1

line aux 0

stopbits 1

line vty 0 4

authorization exec EXEC

logging synchronous

transport input all

line vty 5 15

logging synchronous

What is the mistake I'm making?????

Please use the T+ live logs and check what are the failure reasons when "enable" issued for test1. If no failure in the live logs, then, it could be that this particular NAD not liking some attributes returned from ISE. In such case, you need consult with ASR support teams.

It seems strange with a privilege of 1.7, as the privilege levels are integers.

I will share you mine config in our ASR 1000 series you must add for privilige 7

aaa group server tacacs+ ISE

server-private x.x.x.x key xxxxx

server-private x.x.x.x key xxxxx

ip vrf forwarding bg_mgmt_lan

ip tacacs source-interface Loopback1

!

aaa authentication login default group ISE local

aaa authentication login console none

aaa authentication login CON group ISE local

aaa authentication login VTY group ISE local

aaa authentication enable default group ISE line enable none

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group ISE local

aaa authorization exec CON none

aaa authorization exec VTY group ISE local if-authenticated

aaa authorization commands 1 VTY group ISE local if-authenticated

aaa authorization commands 15 VTY group ISE local if-authenticated

aaa accounting exec default start-stop group ISE

aaa accounting commands 1 default start-stop group ISE

aaa accounting commands 15 default start-stop group ISE

tacacs-server host x.x.x.x key 7 xxxxxxxx

tacacs-server host x.x.x.x key 7 xxxxxxxx

tacacs-server directed-request

Just Add  :

aaa authorization commands 7 VTY group ISE local if-authenticated

aaa accounting commands 7 default start-stop group ISE

and add on line vty

line vty 0 4

authorization commands 7 VTY

line con 0

exec-timeout 0 0

authorization exec CON

logging synchronous

login authentication CON

stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class 1 in vrf-also

exec-timeout 60 0

authorization commands 1 VTY

authorization commands 15 VTY

authorization exec VTY

logging synchronous

login authentication VTY

line vty 5 15

access-class 1 in vrf-also

exec-timeout 60 0

authorization commands 1 VTY

authorization commands 15 VTY

authorization exec VTY

logging synchronous

login authentication VTY

And this is our version :

Cisco IOS XE Software, Version 03.13.00.S - Extended Support Release

Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSAL-M), Version 15.4(3)S, RELEASE SOFTWARE (fc11)

Please try this configuration changes & give it a shot. Else try the TAC route.

- Krish

Hi

I followed the configuration of ognyan sabev, but unfortunately I did not succeed i have IOS XE 16.06.03.

HI again can you make a screen shot of tacacs policy sets,and one for privilege where you allow commandas

I am guessing test1 actually having the default privilege of 1 and the max privilege of 7. In that case, the enable command should be "enable 7". I am not sure whether that is what you did.

If "enable 7" still failing for you, please do check the T+ livelogs and see what the failure reason is.