You have to Configured shell command author on per NDG level for the user group. Yes. Your device is using the aaa authentication mechanism that you just configured on the device, as its supposed to do.
You probably logged in with the local username and/or password log-on credentials that have always existed prior to aaa deployment, and then you proceeded to configure TACACS authentication. Now, the device is rightly using the directives for verifying identity (authentication) that are set out in the aaa configuration -- and your log on credentials dont match, of course.
Typically, you should first configure your ACS server and then configure each node. When configuring each node, enter all the aaa commands and enablae passwords, etc, but WAIT to enter the tacacs key for last. This way you will no tlock yourself out of the device.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_pvt.html