Sep 032009

service password-encryption will not encrypt the tacacs-server key on most IOS 12.2 and below.

So be careful with copy&paste things like

tacacs-server key 7 120B0A02060E1E49392E273A3621315D091317

You have to enter your tacacs-server key in cleartext for a working tacacs setup.

tacacs-server key

Erroneous configuration may result in the following output of debug tacacs:

TPLUS: Queuing AAA Authentication request 199 for processing
TPLUS: processing authentication start request id 199
TPLUS: Authentication start packet created for 199()
TPLUS: Using server
TPLUS(000000C7): connected to server
TPLUS: response received for AAA request 199
TPLUS: received bad AUTHEN packet: length = 6, expected 66016
TPLUS: Invalid AUTHEN packet (check keys)

The 0 string and 7 string keyword and argument pairs were added in 12.3(2)T