With TACACS+ servers, you should set up user accounts by their true network-wide identity, rather than by the account names created on a device. Along with each account name, you must assign appropriate device access roles. A user account can exist on TACACS+ servers with the same name as a user on the device at the same time.
When logging in to a device configured with a TACACS+ server, users enter their assigned TACACS+ account names and passwords when prompted. After the TACACS+ server authenticates a user, it responds with the assigned device role and user account information, using an Extreme Vendor-Specific Attribute (VSA). An Authentication-Accept response without the role assignment automatically grants the "user" role.
User accounts, protocols passwords, and related settings are configured by editing the server configuration files.