You'll need to ensure that the tacacs server is actually passing back the privilege level for Shell Exec. Make sure that your privilege configuration is for the TACACS+ Settings > Shell (exec) settings, not the max enable privilege.
You can also verify whether or not ACS is actually sending the privilege for shell exec if you turn on "debug tacacs". It should look something like...
Jul 28 09:25:02.157: TPLUS: Sending AV service=shell
Jul 28 09:25:02.157: TPLUS: Sending AV cmd*
Jul 28 09:25:02.157: TPLUS: Authorization request created for 4(annie)
Jul 28 09:25:02.157: TPLUS: using previously set server 172.16.242.222 from group tacacs+
Jul 28 09:25:02.173: TPLUS(00000004)/0/8370E638: Processing the reply packet
Jul 28 09:25:02.173: TPLUS: Processed AV priv-lvl=15
Jul 28 09:25:02.173: TPLUS: received authorization response for 4: PASS
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...