Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

auth-fallback

system aaa auth-fallback—Configure authentication to fall back to a secondary or tertiary authentication mechanism when the higher-priority authentication method fails to authenticate a user, either because the user has entered invalid credentials or because the authentication server is unreachable (or all authentication servers are unreachable). By default, authentication fallback is disabled.

The fallback process applies to both SSH sessions and console connections to an overlay network device.

Enable authentication fallback if you want the next authentication method to attempt to authenticate the user even when the user is rejected by the first or second method.

vManage Feature Template

For all Viptela devices:

Configuration ► Templates ► AAA

Command Hierarchy

systemaaa
    auth-fallback     

Options

None

Operational Commands

show running config

Example

Display the AAA configuration. If authentication fallback is enabled, the auth-fallback command is shown in the configuration:

vEdge# show running-config system aaa   
system
 aaa
  auth-order local radius
  auth-fallback
 !
!

The following examples illustrate the default authentication behavior and the behavior when authentication fallback is enabled:

  • If the authentication order is configured as radius local:
    • With the default authentication, local authentication is used only when all RADIUS servers are unreachable. If an authentication attempt via a RADIUS server fails, the user is not allowed to log in even if they have provided the correct credentials for local authentication.
    • With authentication fallback enabled, local authentication is used when all RADIUS servers are unreachable or when a RADIUS server denies access to a user.
  • If the authentication order is configured as local radius:
    • With the default authentication, RADIUS authentication is tried when a username and matching password are not present in the running configuration on the local device.
    • With authentication fallback enabled, RADIUS authentication is tried when a username and matching password are not present in the running configuration on the local device. In this case, the behavior of two authentication methods is identical.
  • If the authentication order is configured as radius tacacs local:
    • With the default authentication, TACACS+ is tried only when all RADIUS servers are unreachable, and local authentication is tried only when all TACACS+ servers are unreachable. If an authentication attempt via a RADIUS server fails, the user is not allowed to log in even if they have provided the correct credentials for the TACACS+ server. Similarly, if a TACACS+ server denies access, the user cannot log via local authentication.
    • With authentication fallback enabled, TACACS+ authentication is used when all RADIUS servers are unreachable or when a RADIUS server denies access a user. Local authentication is used next, when all TACACS+ servers are unreachable or when a TACACS+ server denies access to a user.

Release Information

Command introduced in Viptela Software Release 15.2.8.
In Release 17.2, support authentication order process for console connections.

  • Was this article helpful?