It has been my experience that when you configure authorization in aaa it is applied to the vty but not to the console, unless there is special configuration to also authorize on the console. Since the command to authorize on the console is not in the config that you posted, I would believe that it is not authorizing on the console.
If you run debug aaa authorization and then log in on the console does the debug produce output? If so would you post that output?
If you are still working on this issue then please run the debug aaa authorization. Then login on the console and post any debug output. This will show whether it is really authorizing on the console login.
 in re-reading the original post I would comment in these things:
aaa authorization config-commands
This command is incomplete. I am not clear whether it is really incomplete in the config or whether there was a problem with getting commands into the config.
aaa authorization exec ACS_Group1 group tacacs+ local
I would suggest getting the parameter if-authenticated into this command (either replace local with if-authenticated or add the parameter after local.
I agree with Rick. By default there is no authorization applied on the console, even if we use the 'default' method list. unless you have a command in configuration,
"aaa authorization console", in some IOS this is hidden, and in some this is visible.
First suggestion add command "no aaa authorization console".
The command "aaa authorization config-commands" is a complete command. It is used to authorize commands against the Tacacs server, when any command is executed in the configuration mode of the device i.e.,
If you have command authorization configured on a device for example you have,
aaa authorization commands 15 default ......
And you have profile that should not be allowed to execute the command "show run" but can execute command "configuration terminal".
Then you will not be able execute "sh run" at the privilege exec mode i.e.,
%command authorization failed
But if this user moves to config t, and we do not have the command "aaa authorization confg-commands" then the user will be able to run sh run i.e.
device(config)#do sh run
I hope this clear the meaning of aaa authorization config-commands.
And I hope that you are not confusing/mixing Authentication and Authorization together.
As you are using the 'default' list, the Authentication will be applied to Console (not Authorization).
If you want a complete backdoor on Console or You want that login on Console should not be verified from ACS, let us know, we'll help you out on that. I dont want to suggest the commands for the same, as there could be two solution on that. And I can provide you those, if you require them.
Else, according to your configuration. If Tacacs server is not available, then from any line i.e. vty, aux or console, you should be able to authenticate using local username/password configured on the device. And should be able to go to privilege exec mode using the local enable password.
And, there should be NO authorization on Console.
 Agree with Rick debug aaa authorization, a great help in understanding whether authorization is even taking place on console or not. If you dont mind, please do add "debug aaa authentication" as well.
and then apply this to the console/aux ports. It can't hurt you anyway, its better to be on the safe side. However as others has suggested, try to run the debug and see which method list is picked up when you login via the console.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...