When I wrote this in 2011, it was after we tested my tac_plus and Cisco AAA commands - this was the production configuration (with some minor changes). We've played with several commands and both Field Techs and Managers groups weren't able to use any commands outside of what I defined in the tac_plus config.
Since I've left that company, I haven't been playing with tac_plus. Except the one I posted about adding 2FA to TACACS+. I had to spin up an Ubuntu Server 16.04 VM because of your comment to test it again. With my limited time of testing, I was able to replicate what I wanted to accomplish and it is shown below.
$ ssh tech@192.168.1.30
Password:
R1>en
Password:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int
R1(config)#interface g1
R1(config-if)#exit
R1(config)#int g2
R1(config-if)#shut
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#router eigrp 1
Command authorization failed.
R1(config)#banner login Test
Command authorization failed.
R1(config)#service password-encryption
Command authorization failed.
R1(config)#exit
R1#disable
Command authorization failed.
R1#exit
Connection to 192.168.1.30 closed by remote host.
Connection to 192.168.1.30 closed.
$ ssh manager@192.168.1.30
Password:
R1>en
Password:
R1#sh run | i line vty
line vty 0 4
R1#conf t
Command authorization failed.
R1#clear interface g1
Command authorization failed.
R1#exit
Connection to 192.168.1.30 closed by remote host.
Connection to 192.168.1.30 closed.
About your request for my Cisco IOS configuration, there is a Cisco Configuration section in this blog post that points you to another page in my site. For your convenience, this is the blog post that I used in combination of this tac_plus configuration.