The question is what would cause the ACS to authenticate the client but not authorize it when the user has full permissions to. It doesn't even let me get close to the priviledged EXEC mode. Why isn't authorizing? It can connect to the ACS I know that from the logs.... But it declines the authorization for this reason:

08/03/2004 16:33:52 Authen OK bakerd Global 10.X.X.X tty6 10.X.X.X
08/03/2004 16:33:52 Author failed bakerd Global 10.X.X.X .. Service denied service=shell cmd* tty6 10.X.X.X

The user bakerd has a max enable priviledge of 15 on all NDGs and it is already setup to require authentication and authorization on login....

Is there something I'm missing....

The only thing I found on the link you posted was about setting up AAA on the VTY lines... Do I have to do that? When I set the ACS up on a test network I never had to change AAA settings on VTY lines.