Configuring AAA

TACACS Failthrough:

When using fail-through, if the primary TACACS server fails to respond within a specified timeout period, the authentication request is automatically forwarded to the next authentication method configured, such as a local database or a different authentication server.

If we disable fail-through, the system fails to authenticate with a reachable TACACS+ server the system does not attempt to authenticate with the next TACACS+ server.

TACACS Fallback:

The fallback is mainly intended to provide an alternative way to authenticate users when there’s an issue with the primary authentication server or method, not to give users multiple attempts to authenticate with different methods.

Fallback operates at the AAA (Authentication, Authorization, and Accounting) level, allowing the network device or system to switch to the secondary TACACS server when the primary server is not available.

In summary, failthrough refers to the process of falling back to an alternative authentication method if the primary TACACS server fails to respond, while fallback involves switching to a backup TACACS server when the primary server is unavailable for AAA services.

Configuring AAA

You can configure the Authentication, Authorization and Accounting (AAA) using the following command:



[no] aaa authentication (failthrough disable | fallback disable |login tacacs)


AAA configuration






pbnoscli# configure terminal 
pbnoscli(config)# aaa authentication 
  failthrough           Configure failthrough, default : enable
  fallback              Configure fallback, default : enable
  login                 Configure login, default : local
pbnoscli(config)# aaa authentication failthrough disable
pbnoscli(config)# aaa authentication fallback disable
pbnoscli(config)# aaa authentication login tacacs

You can verify the configuration by using the command(s) below:

pbnoscli# show aaa authentication 
Type            Value          
Failthrough        Disabled          
Fallback           Disabled    
login              tacacs   
pbnoscli# show running-config 
configure terminal
aaa authentication failthrough disable
aaa authentication fallback disable
aaa authentication login tacacs+
interface mgmt
ip address gateway