I believe that you have provided mostly good advice. I would question this line:
aaa authentication enable default group tacacs+ local
I question using local as the fall back method for authenticating the enable password. I believe it is better to configure it this way:
aaa authentication enable default group tacacs+ enable
Also I believe that the configuration needs a line configuring login authentication. It might look like this:
aaa authentication login default group tacacs+ line
I would emphasize your advice about using the loopback interface as the source address for tatacs. This is especially important when the router (or switch) has more than one interface that is a potential path to the tacacs server. The tacacs server can recognize only a single address from the router (or switch). If you do not specify the source address then the router (or switch) will default to using the address of the outbound interface. If the primary interface happens to be down and the router is sending out the other interface then tacacs will not be able to authenticate or authorize. Specifing the source address as the loopback fixes this and tacacs will be able to process no matter which interface is sending the traffic.
The config options depends on the final decision by the owner, as he/she can referred details on the config/implementation in the URL link and attached doc. Here, we normally share/suggest config that some might be applied, and some might use it as guidelines or references.
Anyway, the reason why local, instead of enable was to have another layer of control when ACS not available to authenticate, i,e. Operator might not need to go far compared to other admin with higher privilege, plus keeping enable pwd to certain (authorized) folks only.
But having said that, it is not a compulsory to use strictly use local or enable as last resort.
Without ACS, some might used local database in router/switch to keep individual accounts with different privileges when logging in. With ACS, some will probably get rid all, or maintain some of it. It's all depends on their requirements.
BTW, the tacacs source intf command was in the next post. I missed the line.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...