Hello, Iam new to the group. I have looked around and found some reference to my problem but no clear answer so I thought I would post here.

I have ACS 4.2 that is serving as my tacacs+ server for router and switch access.  I am using windows AD for password authentication.  My authentication is working but I am a bit confused on command authorization.

In global config I have

aaa new-model

aaa authentication login <name> group tacacs+ local

aaa authorization config-commands

aaa authorization exec <name> group tacacs + local

aaa authorization commands 15 <name> group tacacs+ local

aaa accountign exec <name> start-stop group tacacs+

aaa accounting commands 15 <name> start-stop group tacacs+

In VTY config I have

authorization commands 15 <name>

authorization exec <name>

accounting commands 15 <name>

login authenticaion <name>

In ACS I have groups set up and my users are are configured to use the group setting. The privilge level for the group is 3

For help desk staff I need them to be able to run the sho config command.  I created a command set list with the proper command and argument in place.

The issue is that when logged in to the devices via ssh  to vty x as the help desk user and I try and run the sho config it uses the priv level and denies the command locally.  I have verified by running debug the aaa server is not being queried for the authorization. How do I get the router/switch to go to my aaa server for any command about the assigned priv level?  For my net admins with a priv level of 15 set in the ACS group the AAA server is queried so I am a bit confused and expect I missed a simple step in the config.