I would like to add that ACS 5.3 and later doesn't support tacacs + authorization and I've recently filed a defect on the same to be supported. The defect will be fixed in ACS 188.8.131.52 so don't upgrade now. Either use IOS 15.0 or radius.
Here is a defect for your reference:
CSCun82456 ACS 5.x does not support TAC+ authorization Service 0x1a (Auth-Proxy ip)
<B>Symptom:</B> ACS 5.x does not support TACACS+ authorization Service 0x1a (Auth-Proxy ip)
Authorizing Auth-Proxy on IOS 15.1 or above using TACACS+ to ACS 5.x
<B>Workaround:</B> Configure Auth-Proxy to use the Radius protocol.
<B>Further Problem Description:</B>
NOTE: The only thing that is supported by ACS 5.3 patch 5 is authentication and alone authentication would not solve the purpose.
Reason why authorization is not supported with ISO 15.1 and later. IOS changed the Authorization service used for Auth-Proxy in IOS 15.x from 0x1 (auth-proxy) to 0x1a (auth-Proxy ip). IOS 15.0 sets the service as 0x01 and 15.1(4)M7 sets the Service as 0x1a. Per captures ACS does not know what service 26 is and drops the request with a below listed error message: "13011 Invalid TACACS+ request packet - possibly mismatched Shared Secrets". Auth-Proxy using TACACS+ now fails the authorization packet against ACS 5.x because 0x1a is not a supported service. Before this fis is resolved , 0x1a Auth-Proxy service is supported only in the authentication flow in ACS 5.x and this was addressed in CSCtx12249.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...