Configuring AAA
TACACS Failthrough:
When using fail-through, if the primary TACACS server fails to respond within a specified timeout period, the authentication request is automatically forwarded to the next authentication method configured, such as a local database or a different authentication server.
If we disable fail-through, the system fails to authenticate with a reachable TACACS+ server the system does not attempt to authenticate with the next TACACS+ server.
TACACS Fallback:
The fallback is mainly intended to provide an alternative way to authenticate users when there’s an issue with the primary authentication server or method, not to give users multiple attempts to authenticate with different methods.
Fallback operates at the AAA (Authentication, Authorization, and Accounting) level, allowing the network device or system to switch to the secondary TACACS server when the primary server is not available.
In summary, failthrough refers to the process of falling back to an alternative authentication method if the primary TACACS server fails to respond, while fallback involves switching to a backup TACACS server when the primary server is unavailable for AAA services.
Configuring AAA
You can configure the Authentication, Authorization and Accounting (AAA) using the following command:
Reference
Command | [no] aaa authentication (failthrough disable | fallback disable |login tacacs) |
Description | AAA configuration |
Parameters | None |
Mode | CONFIG |
Example
You can verify the configuration by using the command(s) below: