I'm trying get TACACS working on a Catalyst 3650 with IOS Version 15.0(1)SE2, RELEASE SOFTWARE (fc3). I believe my AAA model is defined correctly since it doesn't work properly until the switch is rebooted then I have to remove the TACACS server group and add it back in in order to get it to work. I can still logon via SSH but authorization fails when I try enter any commands under the privileged  exec mode which tells me the authentication piece is still working but the authorization step fails. I confirmed it in ACS as well. Below is my config hope someone has an idea on how to resolve this issue thanks for the help.

aaa group server tacacs+ X
server name auth1
server name auth2

aaa authentication login default local
aaa authentication login TacLogin group X local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec TacAuth group X local
aaa authorization commands 0 default local
aaa authorization commands 0 TacCommands0 group X local
aaa authorization commands 1 default local
aaa authorization commands 1 TacCommands1 group X local
aaa authorization commands 15 default local
aaa authorization commands 15 TacCommands15 group X local
aaa accounting exec default start-stop group X
aaa accounting commands 15 default start-stop group X

ip tacacs source-interface VlanXXX

!
tacacs server auth1
address ipv4 xxx.xxx.xxx.xxx
key 7 xxxxx
timeout 5
tacacs server auth2
address ipv4 xxx.xxx.xxx.xxx
key 7 xxxxx
timeout 5