Hi omc79, 

thanks for the valuable reference documents.

yesterday we have successfully configured TACACS+ authentication on cisco 3650 (below the config commands).

tacacs server ISE-01
address ipv4 192.168.100.1
key 7 21305A00457A080457

tacacs server ISE-02
address ipv4 192.168.100.2
key 7 243B480925ACB85

aaa authentication login ISE group tacacs+ local         //for authentication 1st server (ISE-01) will use, if its not reachable 2nd server (ISE-02) will use, if both are not reachable local authentication.

line vty 0 4
login authentication ISE                  //Above configured named authentication will use

Could you please help me to clarify following.

1. Local users couldn't able to login via telnet /SSH (as per my understanding all telnet or ssh user authentication with TACACS server (if server is reachable then will not check on switch local database for authentication). if TACACS server not reachable then authenticate with switch local database, am i correct.

2. we need to configure authorization, (please help me to verify below mentioned commands are correct or not).

aaa authorization config-commands
aaa authorization exec ISE group tacacs+ local              //authorization named list
aaa authorization commands 1 ISE group tacacs+ local     //for privilege 1
aaa authorization commands 15 ISE group tacacs+ local   //for privilege 15

line vty 0 4
authorization commands 1 ISE              //above configured authorization assigned on VTY
authorization commands 15 ISE
authorization exec ISE

3. Need to configure Accounting (please help me to verify below mentioned commands are correct or not).

aaa accounting exec default start-stop group tacacs+      //accounting for exec
aaa accounting commands 1 default start-stop group tacacs+       //accounting for privilege 1
aaa accounting commands 15 default start-stop group tacacs+      //accounting for privilege 15

do we need to assign accounting under line vty?

any clarification will be very much appreciated.