Mr Kevin, I gave you a possible workaround, but I want to document here for users with a similar problem.
I have never found out why, but for some reason, when you turn on remote authentication for management access, the user (Other External Users) that represents the users authenticated remotely can only have tmsh or no shell.
I searched the db keys and tmsh commands, I could not find anything that would change that behaviour.
The workaround I use for that is to create the user locally with the same name as the remote user.
Because the system is using remote authentication, it will not ask for the password, but will allow changing the terminal to advanced shell (as long you use a role that has that, like administrator).
Creating all users remotely and locally duplicates the work, this is why for some protocols there is a possibility to have the shell information in the remote server.
https://support.f5.com/csp/article/K14324
However, I don't know if there is something similar for TACACS+.