This is a basic, working AAA TACACS+ configuration. Local fallback AAA is the local user cisco.

Line console uses local authentication unconditionally in below example. No matter if the TACACS server is running or not, local authentication only. The TACACS server group is called auth-server. The server auth-server contains 2 TACACS servers, host 10.255.255.1 and host 10.255.255.2.

configure
!
tacacs-server host 10.255.255.1 port 49
 key 7 0055415509421F070C204F5D021C1C
 timeout 1
!
tacacs-server host 10.255.255.2 port 49
 key 7 135445410615102B28252B203E270A
 timeout 1
!
username cisco
 group root-lr
 group cisco-support
 secret 5 $1$xE2F$K9GxT/QI1eosQhXS6y/2D/
!
aaa group server tacacs+ auth-server
 server 10.255.255.1
 server 10.255.255.2
!
aaa authorization exec default none
aaa authentication login default group auth-server local
!

The XR AAA command: aaa authorization exec default none has the same effect as the IOS AAA command: aaa authorization exec default group auth-server if-authenticated. The configuration states that if a user is authenticated, that user is also authorized.

If the line console should use TACACS+ AAA first then fallback to local AAA, use following additional configuration:

configure
!
line console
 login authentication default
!
commit

Short verification saves countless hours. Stop the TACACS+ daemon on both auth-servers, in shown example 10.255.255.1, 10.255.255.2 and verify if fallback authentication really works. If it does, then you are good prepared for a central AAA outage.