There is a known bug that covers the behavior you've observed, that's triggered by using certain versions of Firefox. What browser were you using when this happened? Javier Henderson Cisco Systems

The error message states invalid credentials were entered (seen at the bottom of radius_details_3.jpg), so that's why the user was not allowed access.

You will want to configure command authorization on the router (switch, etc.) and then create a command authorization set on ACS, and apply it to an authorization policy.

Unlike ACS 4.x (and earlier) which had a separate page for successful and failed attempts, ACS 5.x shows all authentication attempts on the same report.

Can you post the same debug output, from a switch showing the correct behavior, please? Also, are you able to collect a packet capture, so we can see what's being put on the wire by the RADIUS server? I realize the output of "debug radius" suggests ...