In such cases I find it useful to see if the packets are actually arriving at the ACS server. If you're running ACS on Windows, it's pretty simple to load Wireshark, start a capture and watch for the packets coming in during a failed authentication attempt.
I'm assuming you verified the obvious like the device's management IP being correctly entered and the tacacs key matching.
Common issues include:
a. the device sourcing from other than the expected IP address and thus not matching its definition in ACS. This can be fixed by either changing the device definition on ACS or using "ip tacacs source-interface" command on the switch.
b. the packets not arriving at all from the source device. This is usually caused by a network configuration error.
You can also debug tacacs on the switch while you try to authenticate to your ACS server.