Hi guys,

I came across an issue where a "Command Authorization Failed" error would pop up in a device upon issuing ANY command, including exit. Turns out it was short of just 2 rows of configuration which was the following:

tacacs-server host 10.X.X.4 key 7 ABCDEFGHIJKLMNOPQRSTUV
tacacs-server host 10.Y.X.4 key 7 AABBCCDDEEFFGGHHIIJJKK

My question however is, we already have a server-group defined as a private server, as seen in the configuration below.

aaa group server tacacs+ TACACS_GROUP
 server-private 10.X.X.4 key 7 ABCDEFGHIJKLMNOPQRSTUV
 server-private 10.Y.X.4 key 7 AABBCCDDEEFFGGHHIIJJKK
!
aaa authentication login default group TACACS_GROUP local
aaa authentication login Console line
aaa authorization config-commands
aaa authorization exec default group TACACS_GROUP none 
aaa authorization commands 0 default group TACACS_GROUP none 
aaa authorization commands 1 default group TACACS_GROUP none 
aaa authorization commands 15 default group TACACS_GROUP none 
aaa accounting commands 15 default start-stop group TACACS_GROUP

Why does the router still use the global config parameters to communicate with the server?

In "show tacacs", it can be seen that login authentication increments the "private" server counter, while any commands issued increments the "public" server.

Tacacs+ Server - public : 10.X.X.4/49
 Socket opens: 114
 Socket closes: 114
 Socket aborts: 0
 Socket errors: 0
 Socket Timeouts: 0
 Failed Connect Attempts: 0
 Total Packets Sent: 114
 Total Packets Recv: 79
--- output omitted ---
Tacacs+ Server - private : 10.X.X.4/49
 Socket opens: 81
 Socket closes: 80
 Socket aborts: 0
 Socket errors: 0
 Socket Timeouts: 0
 Failed Connect Attempts: 0
 Total Packets Sent: 87
 Total Packets Recv: 24
--- output omitted ---

Can we consolidate everything into using just the private server configuration? If so how do I do so?

Hope some of you out there can help.

Thank you very much in advance.