A quick template for Cisco ACS 4.2 TACACS+ administration for IOS devices.
On the IOS device (taken from a switch):
enable secret <SECRET>
no enable password
no username <ANY CURRENT USERS>
username panicuser secret 0 <PANIC USER PASSWORD>
ip tacacs source-interface <MANAGEMENT INT>
tacacs-server directed-request
tacacs-server key <SECRET>
tacacs-server host <ACS IP>
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no-tacacs none
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default if-authenticated
aaa authorization commands 1 default if-authenticated
aaa authorization commands 15 default group tacacs+ local
aaa authorization console
Exit the IOS device and enter with an ACS username:
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
Cisco ACS:
Interface Configuration->TACACS+ (Cisco IOS)->Advanced TACACS+ Features and Display enable default (Undefined) service configuration
Network Configuration-> AAA Clients Add Entry-> IOS Device IP Address/Secret/TACACS+ (Cisco IOS)
Group Setup-> The group you want to use->Rename Group-> Meaningful name (Eg: Networking Admins)
Group Setup-> Networking Admins->Edit Settings:
->Enable Options->Level 15
->TACACS+ Settings->Shell (exec)
->TACACS+ Settings->Privilege level->15
->TACACS+ Settings->Shell Command Authorization Set->Per Group Command Authorization->Permit
->Submit + Restart
User Setup->Name of the user to create->Add/Edit
->User Setup->Password
->User Setup->Group to which the user is assigned:->Networking Admins
->Advanced TACACS+ Settings-> TACACS+ Enable Control:->Use Group Level Setting
->Advanced TACACS+ Settings-> TACACS+ Enable Password->Use CiscoSecure PAP password
->Submit
That's it, now everything AAA related goes to the TACACS+ and if the IOS device can't reach it, you have the panicuser that gives you local access to the device.