I would do a debug on your TACACS+ server while you are trying this.
I'll assume that you only want to use TACACS authentication and only fall-back to local logins if it can't access the server?
Try using this:
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable
Also see this site: It has some good examples and explanations
http://my.safaribooksonline.com/book/networking/cisco-ios/0596527225/tacacsplus/i13896_heada_4_2#X2ludGVybmFsX0h0bWxWaWV3P3htbGlkPTA1OTY1MjcyMjUlMkZpNTAzNjNfX2hlYWRhX180XzEmcXVlcnk9
My guess is that since you have the "local" keyword in:
aaa authentication login default group tacacs+ local line
The TACACS+ authentication returns a fail, so the router tries doing local authentication. I guess you should provide us with the line vty sanitized configuration.
If you have
line vty 0 15
login local
Then it would do a username/password authentication otherwise its doing password
Your question's pretty broad. There's a lot of different commands you can use to troubleshoot and monitor QoS, so I'll focus on the primary question you have, which is how to reasonably verify your QoS configuration is working and how to read the policy-map interface output.
The only true way to verify that QoS is working is to hook up a traffic generator and monitor your drop rate in various queues. Since that isn't typically feasible, particularly in a production environment, all you can really do is verify that the traffic is being marked and classified properly.
What you're really looking for, when it comes to verifying if your QoS configuration is working, is for the counters in the policy-map interface command to increment.
So, for example, in the output your provided:
Class-map: VOICE (match-any)
3860628 packets, 1070196895 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol sip
97348 packets, 49867304 bytes
5 minute rate 0 bps
Match: protocol rtp
3763280 packets, 1020329591 bytes
5 minute rate 0 bps
Match: access-group name NEC-PBX
0 packets, 0 bytes
5 minute rate 0 bps
Priority: 40% (340 kbps), burst bytes 8500, b/w exceed drops: 5
You can see that you're seeing packets under SIP and RTP, but not NEC-PBX. If you know you're getting SIP and RTP traffic across a link, you should see the packet counts increment and that's a reasonable way to know that your configuration is basically working.
Best Answer
Ciscocmd is another option like RANCID which has already been mentioned;
http://sourceforge.net/projects/cosi-nms/files/ciscocmd/
Alternatively you could use SNMP. You can send an SNMP write to the device with the location of a config server using an TFTP URL or HTTP URL and setting the "Pull config" option via SNMP;
http://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/15217-copy-configs-snmp.html#copying_startup
https://supportforums.cisco.com/discussion/11025771/push-configuration-snmp