Hi Gavin,

you are getting authorization failed messgae which means your authentication is passing. It depend which protocol you are using radius/tacacs.

please try this sample config and see if authorization works or not. If still same issue, check what is the authorization failure logs your ACS is showing:-

Here is a sample configuration:-

router(config)# enable password XXXXXXX

router(config)# username admin privilege 15 password xxxxx

router(config)# aaa new-model (Enables AAA configuration commands on the router)

router(config)# Tacacs-server host XXXXXXX ( IP address of the ACS server)

router(config)# Tacacs-server key XXXXXX ( This is the same shared secret key which we defined on the ACS for this IOS device)

router(config)# aaa authentication login default group Tacacs+ local

Authenticate telnet users on TACACS+ if TACACS+ is down authenticate users with locally configured telnet username password on router.

router(config)# aaa authentication enable default group Tacacs+ enable

Authenticate the enable password on the TACACS+ if TACACS+ is down authenticate enable password with locally configured enable password on router.

Router(config)# aaa accounting exec default start-stop group TACACS+ (Account all the user which are telneting based on start and stop session on TACACS+)

Router(config)# line vty 04 (Change to line vty line)

Router(config-line)# Login authentication default (Enables tacacs authentication for the vty lines)