Local authentication process

When the switch is configured to use TACACS+, it reverts to local authentication only if one of these two conditions are met:

Local
is the authentication option for the access method being used.
The switch is configured to query one or more TACACS+ servers for a primary authentication request, but has not received a response, and Local is the configured secondary option.

For local authentication, the switch uses the operator-level and manager-level user name/password sets previously configured locally on the switch. These are the user names and passwords you configure using the CLI password command, or the WebAgent.

If the operator at the requesting terminal correctly enters the user name/password pair for either access level (operator or manager), access is granted on the basis of which user name/password pair was used. For example, consider configuring Telnet primary access for TACACS+ and Telnet secondary access for local. If a TACACS+ access attempt fails, you can still get either the operator or manager level access by entering the correct user name/password pair for the level you want to enter.
If the user name/password pair entered at the requesting terminal does not match local user name/password pair previously configured in the switch, access is denied. In this case, the terminal is again prompted to enter a user name/password pair. In the default configuration, the switch allows up to three attempts. If the requesting terminal exhausts the attempt limit without a successful authentication, the login session is terminated and the operator at the requesting terminal must initiate a new session before trying again.