Remote AAA TACACS+ server configuration requirements
Have an IPv4/IPv6 address or fully qualified domain name (FQDN) that is visible to the switch.
Have a passkey (shared secret) that matches what is configured on the switch.
Provide username and password definitions for every switch user. Remote users do not require definition on the switch.
Configure user role assignment using TACACS+ attributes.
Have any needed command authorization configured to control what commands (per user or user role) will be executable on the switch.
Consult your TACACS+ server documentation for installation and general configuration details.
If SSH public key authentication is used, the key information is stored locally on the switch, making username and password definition on the TACACS+ server unnecessary.