Local privilege authorization fallback

I am going through the exam topics that I did not do so well on and I found this topic, but I haven’t found any information about it on this website. I was hoping someone could elaborate on this topic for me. I assume it is a a method of using local usernames and passwords configured on the Cisco device when the radius server or Tacacs+ server is unavailable.

Hello Kevin

The local privilege authorization fallback does indeed have to do with a method of using the local usernames and passwords to authorize users into the device in the event that a RADIUS or TACACS+ server is unavailable. This can be done using the following command for example:

aaa authorization exec default group tacacs+ local

By listing the sources of authorization in order, we can state that the local database is the fallback method. Now this allows authorization via the configured tacacs+ and if that is unavailable, it will use the local database.

Now there is an additional parameter that you can use, and this can be seen here:

aaa authorization exec default group tacacs+ local if-authenticated

The if-authenticated keyword is used here for situations where a user has been authenticated using TACACS+ however, during the session, the TACACS+ server goes down, the user can still continue doing configuration. If this option is not added, once the TACACS+ server goes down, authorization fails, and the user is no longer authorized and cannot continue to configure.

Both of these concepts are included in this specific exam topic.

I hope this has been helpful!



Thank you so much for your reply! I am glad I have some configuration examples to look at now. I understand this topic much better and look forward to labing it up!

Scott Weller

1 Like