# Configure TACACS+ server
aaa new-model
tacacs-server host 192.168.1.100
tacacs-server key mysecretkey

# Define authentication method for login
aaa authentication login default group tacacs+ local
# First attempt TACACS+; fall back to local if TACACS+ is unreachable

# Define authentication method for privilege mode
aaa authentication enable default group tacacs+ enable
# Use TACACS+ first; fall back to enable password if needed

# Define authorization for exec sessions
aaa authorization exec default group tacacs+ local
# Only users present in TACACS+ can log in

# Define authorization for command execution (privilege level 15)
aaa authorization commands 15 default group tacacs+ local

# Enable accounting for session start/stop
aaa accounting exec default start-stop group tacacs+

# Enable accounting for executed commands
aaa accounting commands 15 default start-stop group tacacs+

Otpional: Allow Local Access During Maintenance

During device upgrades or maintenance, it's advisable to retain local console access as a fallback in case the TACACS+ server becomes unavailable.

# Create custom authentication method
aaa authentication login local_only local

# Define authorization policy for console access
aaa authorization exec console local
aaa authorization commands console none

# Apply to console line
line console 0
 login authentication local_only
 authorization exec console
 authorization commands console
! 

After completing maintneance, remove the local authentication configuration to maintain security.