A good thing to do to investigate this kind of problem is to look in the logs of the TACACS server. Did the server see the authentication request? Did the server have a problem about the request? In the ACS server you would look in the failed attempts report for this information.
In my experience a very common cause of this problem is that the switch is not using the address as source for the authentication request that matches the address configured on the server. Typically the server is configured to use the management address of the switch but the switch is using the address of one of the data vlans as the source. The solution is to use the ip tacacs source-address command on the switch to specify which address to use.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...