TACACS+ server redundancy and access sequence
To prevent authentication and authorization interruption, it is common practice to configure more than one TACACS+ server. When identifying TACACS+ servers to the switch, server group order (and server order within the group), determines server access order.
When defining the server access sequence for authentication with
aaa authentication login default
, there is an implied
local
included as the last item in the list. If no TACACS+ server can be reached, local authentication will be attempted.
When defining the server access sequence for authorization with
aaa authorization commands default
, it is recommended to always include
none
as the last item in the list. Without
none
, if no TACACS+ server can be reached, user command authorization is impossible.