I use ACS ver 4.2, and set up the following configuration on the routers.
aaa authentication login default group tacacs+ local
aaa authentication login no_auth local enable
aaa authorization config-commands
aaa authorization commands 1 default group tacacs + local
aaa authorization commands 15 default group tacacs + local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
Everything works perfect, but I am trying to deny the 'show run' command using ACS command authorization sets. ( See attahment). All other commands are working, but no matter what I do the show run is un-sucessful. In the group, Max privilege for any AAA client set to 'Level 1'. and Shell (exec) is set to 'Privilege level 1 '. Any ideas?