Hi Gavin,
you are getting authorization failed messgae which means your authentication is passing. It depend which protocol you are using radius/tacacs.
please try this sample config and see if authorization works or not. If still same issue, check what is the authorization failure logs your ACS is showing:-
Here is a sample configuration:-
router(config)# enable password XXXXXXX
router(config)# username admin privilege 15 password xxxxx
router(config)# aaa new-model (Enables AAA configuration commands on the router)
router(config)# Tacacs-server host XXXXXXX ( IP address of the ACS server)
router(config)# Tacacs-server key XXXXXX ( This is the same shared secret key which we defined on the ACS for this IOS device)
router(config)# aaa authentication login default group Tacacs+ local
Authenticate telnet users on TACACS+ if TACACS+ is down authenticate users with locally configured telnet username password on router.
router(config)# aaa authentication enable default group Tacacs+ enable
Authenticate the enable password on the TACACS+ if TACACS+ is down authenticate enable password with locally configured enable password on router.
Router(config)# aaa accounting exec default start-stop group TACACS+ (Account all the user which are telneting based on start and stop session on TACACS+)
Router(config)# line vty 04 (Change to line vty line)
Router(config-line)# Login authentication default (Enables tacacs authentication for the vty lines)
Thanks & Regards