AAA Authentication on Cisco IOS

Hello Nipun

If authentication fails due to incorrect credentials with the primary method, the fallback method will NOT be tried. The fallback mechanism comes into effect only when the primary server is unreachable or unresponsive, not when authentication fails due to incorrect credentials.

This makes sense because if someone tries to log in using brute force and fail, you can consider them an illegitimate user. If you were legitimate, you would know the password. So you don’t want to give an illegitimate user that may continue their brute force attack a second chance to try to connect again. So when a user provides incorrect credentials for the primary method, the device will return an authentication failure and will not proceed to try the fallback method.

The fallback is mainly intended to provide an alternative way to authenticate users when there’s an issue with the primary authentication server or method, not to give users multiple attempts to authenticate with different methods.

I hope this has been helpful!


1 Like