Order of authentication
If the system is configured for authentication chaining, the order of authentication is based on the authentication chaining. For more information about the authentication chaining method, see Authentication chaining method.
If the system is not configured using the authentication chaining method, then by default, the system looks first for configured TACACS+ servers, then for configured RADIUS servers, and finally in the local user database. If a server configuration is found, the system queries the first configured server of that type by using the configured secret. After the query is validated, the server authenticates the user from information in its database.
TACACS+ and RADIUS servers are queried in the order in which they were configured. If a query times out, the next server in the list is queried. If all queries fail, the system attempts to authenticate the user through the local vRouter authentication database. If local authentication fails, the access attempt is rejected.
When the system is configured for TACACS+ and a user is configured on it and on the local user database, the login attempt fails if the user fails authentication on TACACS+. The local user database is used only when the user does not exist on the TACACS+ server or that server becomes unavailable.