This problem occurs due to the presence of Cisco bug ID CSCsd86017.
The enable password for TACACS+ fails to authenticate if these conditions are met:
Users can log in but when the enable command is issued, authentication fails, and the Failed Attempts log displays the cs user unknown error message.
As a workaround, set the enable password to the Windows password. Alternatively, use the CiscoSecure Password Authentication Protocol (PAP) password.
Note: The CiscoSecure PAP password automatically blanks out and effectively becomes the Windows password.
A separate enable password for TACACS+ works well in CiscoSecure ACS version 3.3.3 and earlier. This problem occurs with CiscoSecure ACS version 4.0(1.27).