For dialup-PPP, one usually enables authentication, authorziation and accounting with TACACS+.
In contrast, leased lines with PPP encapsulation usually operate without any authentication, so it's disabled on the leased line interfaces (e.g. Serial0). But before IOS 11.3(3)T, authorization and accounting can only be enabled globally for all interfaces, so this is still performed for the leased line interfaces, although authentication is disabled.
This has the effect that during IPCP address negotiation, an authorization request is sent to the TACACS+ daemon to validate the IP address negotiated. But as no prior authentication occured, the username for this request is unknown, i.e. empty. Consequently, authorization is denied.
There are three work-arounds. The first one is to enable authentication even on the leased line interfaces.
The second one is to define an empty user in the TACACS+ daemon to allow the desired authorization. However, I wouldn't recommended this due to the possible security problems.
user = "" {
service = ppp protocol = ip {
}
}
The third one is to use an IOS release of at least 11.3(3)T. Not that I would recommend this particular early release, however. This release allows to configure authorization and accounting on a per-interface base.