About authentication fail-through and authorization

For authorization, there is no equivalent of the authentication fail-through feature. Therefore, if the first reachable TACACS+ server responds with "Authorization Denied," no additional TACACS+ servers are interrogated.


Rare potential out-of-synchronization situation when using authentication fail-through: Successful authentication on one server can be followed by authorization denial on another. The user is known on the server doing the authentication but unknown on the server attempting the authorization. This situation typically arises only during brief periods in which user credential databases are not synchronized across all TACACS+ servers. See also TACACS+ server authorization considerations in aaa authorization commands default.