Authorization in TACACS+ takes place via two types of messages being exchanged between the NAS and the TACACS+ server.
The authorization process starts with the NAS sending an authorization REQUEST packet to the TACACS+ server. The REQUEST packet can contain information about the services or privileges that the NAS wants the AAA server to authorize the client to have. The server replies with a RESPONSE message. This RESPONSE message can specify any of the following five statuses:
The FAIL status simply means that the services or privileges that were requested to be authorized for the client by the NAS are not to be given to the client.
If the status is set to PASS_ADD, arguments specified ...