This issue occurs due to the presence of the Cisco bug ID CSCec59692.
Routers that terminate VPN client connections on Cisco IOS 12.3 code fail to authenticate users through TACACS+. The authentication of other users, such as dial-in users, functions fine to TACACS+. When requests leave the router to the TACACS+ server, the authentication does not fail.
This problem occurs in Cisco IOS 12.3 mainline and 12.3T-based codes. The current suspicion is that prior code is not affected. This issue is not observed on non-VPN traffic.