Are you returning the proper attributes with the Authorization Profile in ACS? You need to set the privilege level in the authorization profile in order for this to work. Here is what I have on my end:
Here is also a snipit from my ASA configs (you can ignore the authorization portion unless you want to do authorization on your end as well).
sh run aaa aaa authentication ssh console NS-TACACS LOCAL aaa authentication enable console NS-TACACS LOCAL aaa authentication telnet console NS-TACACS LOCAL aaa authentication http console NS-TACACS LOCAL aaa authentication serial console NS-TACACS LOCAL aaa authorization command NS-TACACS LOCAL aaa accounting enable console NS-TACACS aaa accounting serial console NS-TACACS aaa accounting ssh console NS-TACACS aaa accounting telnet console NS-TACACS aaa accounting command privilege 15 NS-TACACS aaa authorization exec authentication-server auto-enable