TACACS+ server redundancy and access sequence

To prevent authentication and authorization interruption, it is common practice to configure more than one TACACS+ server. When identifying TACACS+ servers to the switch, server group order (and server order within the group), determines server access order.

NOTE:

When defining the server access sequence for authentication with aaa authentication login default, there is an implied local included as the last item in the list. If no TACACS+ server can be reached, local authentication will be attempted.

NOTE:

When defining the server access sequence for authorization with aaa authorization commands default, it is recommended to always include none as the last item in the list. Without none, if no TACACS+ server can be reached, user command authorization is impossible.