I have a VPN tunnel between an ASA5520 and a Cisco 891.
I had the 891 configured with the following:
aaa group server tacacs+ VTY ip tacacs source-interface Loopback0 ! aaa group server tacacs+ TACACS-ACS server 10.8.x.x server 10.16.y.x ! aaa authentication login CONSOLE none aaa authentication login VTY group tacacs+ local aaa authorization exec VTY group tacacs+ local aaa authorization commands 0 VTY group tacacs+ aaa authorization commands 15 VTY group tacacs+ aaa accounting commands 15 VTY start-stop group tacacs+ aaa accounting commands 15 CONSOLE start-stop group tacacs+