Just the bare minimum:
! you probably have this already, if you don't; you should read up on it first aaa new-model ! use local users, and then all tacacs+ servers, to authenticate logins aaa authentication login default local group tacacs+ ! give enable to tacacs+ users aaa authentication enable default group tacacs+ ! send accounting records for when logins ('exec mode') begin and end aaa accounting exec default start-stop group tacacs+ ! send accounting records for config commands aaa accounting commands 15 default stop-only group tacacs+ ! send accounting records for outgoing connections made to other systems aaa accounting connection default start-stop group tacacs+ ! send system event account records (reloads etc) aaa accounting system default start-stop group tacacs+ ! OPTIONAL: On a router with multiple interfaces that could be chosen to ! reach the TACACS server it is best to specify one; we use Loopback addresses ! for iBGP peering, so it makes sense to use them here too ip tacacs source-interface Loopback0 ! define at least one tacacs server with some friendly $SERVERNAME tacacs server $SERVERNAME ! Set the TACACS+ server's ipv4 $ADDRESS (or ipv6, adjust accordingly) address ipv4 $ADDRESS ! Set the encryption $KEY to match the key configured on the TACACS+ server for this device key $KEY !
Now: BEFORE you log off, try to log in again and make sure you can still log in with your original local credentials.
If you can no longer login after making the above changes, you’ll need to fix that first before you disconnect to prevent you locking yourself out.