Configure TACACS+ authentication and authorization on R2.
Configure EXEC and commands accounting.
Configure TACACS+ single-connection on R2 and ACS to maintain a single open TCP connection, as demonstrated in the example following item 4.
Hidden issue: For all routers to be able to Telnet R2, you need to open a hole in ACL configured on R2, as demonstrated in the following example:
hostname r2 ! aaa new-model aaa authentication login vty tacacs+ none aaa authentication login con none aaa authentication ppp default local aaa authentication ppp isdn radius local aaa authorization exec vty tacacs+ none aaa authorization exec con none aaa authorization network default local aaa authorization network isdn radius ...