We have a tacacs server (v3.3) which seems to be showing some strange characterisitics. If we look at the authentication failure logs on the ACS it shows what appears to be the Login Banner as well as attempted commands in the "Username" field. How is this possible? if the user has failed to authenticate, shouldn't it just show the name of the user?
Yes, this will have the same effect. Here is the example config to fix these kind of issues.
line aux 0
session time-out 20 ! The session times out after 20 minutes of inactivity.
no motd-banner ! disable the MOTD banner for reverse Telnet sessions
exec-timeout 0 0