Can you change it via the console or using SSH?  Might be something weird with your telnet session. 

Also this is from the ACS authentication FAQ:

Q. When I turn on enable authentication in the switch or router with commands such as aaa authentication enable default tacacs+ or set authentication login tacacs enable telnet primary, I am locked out of enable mode and receive the Error in authentication error message on the router. What do I need to do?

A. Check the failed attempts log in the ACS. If the log says CS password invalid, it can be that there has not been a special enable password set up for the user. This is required when you configure enable authentication. If you do not see Advanced TACACS+ Settings in the user options, select Interface Configuration > Advanced Configuration Options > Advanced TACACS+ Features and select that option in order to get the TACACS+ settings to appear in the user settings. Then select Max privilege for any AAA Client (this is usually 15) and enter the TACACS+ Enable Password that you want the user to have for enable.

Q. How do I determine what the 'Authen failed' message type means?

A. Note the date and time of the message, go to the CSAuth log file, and search on the date and time. A more detailed explanation of the message is then presented.