By default our WTI equipment with TACACS + uses the "pap" query instead of the "login" query to authenticate against.
Below is an example of a sample config found in the tac_plus.cfg file:
group = sysadmin {
login = PAM
pap = PAM # new inserted line
acl = default
# Needed for the router to make commands available to user (subject
# to authorization if so configured on the router
service = exec {
priv-lvl = 15