Just some additional comments that may or may not help in your planning.
Most of the time it is multi-user environments that require tacacs+ support.
Often these same environments are where CSM is being used for management, and MARS is being used for monitoring.
Both CSM and MARS are built for multi-user environments, and I believe that CSM supports tacacs+ for loggin into the CSM client. And I am fairly sure MARS also supports tacacs+.
When CSM and/or MARS accesses the sensor they will do so through a single account for all tranmission of data regardless of which user requested the change; rather than trying to connect to the sensor using the same account through which the changes were made in CSM and/or MARS.
So at least for day to day monitoring and configuration activities you use tacacs when using CSM and MARS for those activities.
Then it is only the periodic troubleshooting requiring direct sensor access that wont fit into your tacacs+ model and local accounts would need to be used on the sensor.
I believe tacacs+ is on the roadmap for MARS, but it is currently not supported. Only local authentication is. You don't really use MARS for day to day management either though. All MARS really does today is collect the events.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...