Just some additional comments that may or may not help in your planning.

Most of the time it is multi-user environments that require tacacs+ support.

Often these same environments are where CSM is being used for management, and MARS is being used for monitoring.

Both CSM and MARS are built for multi-user environments, and I believe that CSM supports tacacs+ for loggin into the CSM client. And I am fairly sure MARS also supports tacacs+.

When CSM and/or MARS accesses the sensor they will do so through a single account for all tranmission of data regardless of which user requested the change; rather than trying to connect to the sensor using the same account through which the changes were made in CSM and/or MARS.

So at least for day to day monitoring and configuration activities you use tacacs when using CSM and MARS for those activities.

Then it is only the periodic troubleshooting requiring direct sensor access that wont fit into your tacacs+ model and local accounts would need to be used on the sensor.

I believe tacacs+ is on the roadmap for MARS, but it is currently not supported. Only local authentication is. You don't really use MARS for day to day management either though. All MARS really does today is collect the events.

The lack of tacacs+ or RADIUS support on the IPS sensors have caused me to fail many a security audit and have made me explain WHY my security devices are less secure than the hosts they protect.

you may be aware of this already, but you can limit access at the network level and enable password lockouts. Still using local credentials of course;-(