aaa group server: server or private-server

erikisme1 · ‎07-04-2013

Hi,

I'm a bit confused on when to use the SERVER A.B.C.D command of SERVER-PRIVATE A.B.C.D command in the following:

aaa group server tacacs+ acs-servers

server-private 10.1.2.2 single-connection key 7 12345

server-private 10.1.2.3 single-connection key 7 12345

What exactly is the diference between 'server-private' and 'server'? If it where to make a difference in RFC1918 and non-RFC1918 addresses, then what's the extra functionality?

Erik

Eduardo Aliaga · ‎07-04-2013

Hello. Here the word "private" doesn't relate to RFC1918.

If you use the "server" command within the "aaa group server" , this server could be used in another groups, sometimes unintentionally.

On the other hand the "server-private" comand within the "aaa group server", assures you this server will only be used by this group.

please rate if this helps

Jatin Katyal · ‎07-04-2013

Use the server-private command to associate a particular private server with a defined server group. Private servers (servers with private addresses) can be defined within the server group and remain hidden from other groups, while the servers in the global pool (for example, default radius server group) can still be referred to by IP addresses and port numbers. Thus, the list of servers in server groups includes references to the hosts in the global configuration and the definitions of private servers.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

erikisme1 · ‎07-05-2013

Ok thanks! This helps!

- What practical benefit would it give to hide servers from other groups? What kind of scenario could that be?

- Say i would want to use the servers i mentioned for Tacacs AND Radius, does that mean i should not be using 'server-private'?

Erik

jordankalio · ‎04-09-2025

In the context of aaa group server, both server and server-private are used to define TACACS+ (or RADIUS) servers, but there's a subtle yet important distinction between them:

🟦 server

Used to configure a shared/public server.
Typically refers to a server that might be used by multiple clients or systems.
You'd commonly use this for a corporate ACS server or centralized authentication service.

🟩 server-private

Used when you want to define a server with private attributes, especially when:
- You want to embed the key (like the key 7 ...) in the configuration in a way that’s not shared globally.
- You are dealing with per-client secrets (so one client uses a different key than another).
- You need specific behaviors such as single-connection, or other session optimizations.

RFC1918 Addresses?

Not directly related. Whether the IP is RFC1918 (private) or public doesn't affect whether you use server or server-private. It’s more about control, security, and session behavior. You can absolutely use either for public or private IPs.

Summary

Use server-private when:

You want per-server secrets.
You want options like single-connection.
You're using private, non-global configurations.

Use server when:

You have standard/shared server configs.
You don’t need specialized options.

Fun fact: This reminds me a bit of Null's Brawl private server—just like how server-private gives you more control over how your authentication behaves, Private Null’s Brawl nullsbrawlpro.com gives you that customized, controlled gameplay experience versus the public Brawl Stars servers. Both offer you something "extra" and more "personalized" when compared to their public counterparts.

Let me know if you want an example config or want to dive into the behavior of single-connection too!