TACACS+ server redundancy and access sequence
To prevent authentication and authorization interruption, it is common practice to configure more than one TACACS+ server. When identifying TACACS+ servers to the switch, server group order (and server order within the group), determines server access order.
NOTE:
When defining the server access sequence for authentication with
aaa authentication login default, there is an implied
local included as the last item in the list. If no TACACS+ server can be reached, local authentication will be attempted.
NOTE:
When defining the server access sequence for authorization with
aaa authorization commands, it is recommended to always include either
local or
none as the last item in the list.