Core issue
This issue occurs due to the presence of the Cisco bug ID CSCec59692.
Routers that terminate VPN client connections on Cisco IOS 12.3 code fail to authenticate users through TACACS+. The authentication of other users, such as dial-in users, functions fine to TACACS+. When requests leave the router to the TACACS+ server, the authentication does not fail.
This problem occurs in Cisco IOS 12.3 mainline and 12.3T-based codes. The current suspicion is that prior code is not affected. This issue is not observed on non-VPN traffic.
Refer to all affected versions for a list of other Cisco IOS versions that hit this bug.
Resolution
As a workaround, either use local authentication, or download and upgrade the Cisco IOS version to one of these versions: