Does the login page set the UserLevel Session?
Double click the Authenticate User server behavior on the login page and go to the third page, make sure the UserLevel column is added to the list of sessions to set.
just to double check what sessions are being set, add the following code to the access denied page:
</pre><?php var_dump($_SESSION); ?></pre>