We have an assortment of 4507s, 2950s, and mid-size routers, all on TACACS+. We have physical security over all the devices, so we want the console port always available. We tried adding "login authen for-console" under line Con 0, and "aaa authen login for-console none", but that sometimes gives us an infinitly recuring login prompt. Whats the best way to always keep it open?
This will be independent of TACACS. Whether you should remove the TACACS lines from Console 0 depends on what is configured in aaa and on what you want the behavior to be. If you leave the TACACS lines on console 0 there will be no authentication and the console will be pretty much always open. (I say pretty much because if someone is on the console and when they finish they execute the logoff or quit or exit commands the console session will terminate and go back to the login prompt.)
If you remove the TACACS lines from console 0 and there is an aaa authentication login default configured then the console will be subject to this processing for authentication.
Based on what I think I understand of what you are trying to do I would leave the TACACS configured on the console as you have it and I would add the exec-timeout 0.