I have TACACS+ working and now I am trying to set it up so that it will failover locally if the TACACS+ server is unavailable.
My goal is for it to check the TACACS server first, then failover if it is not contactable.
It is my understanding that the below configuration line would achieve this, with the word "local" coming AFTER the "group tacacs+" command to achieve this:
aaa authentication login vtymethod group tacacs+ local
Test: I disable the TACACS service on the server and try and authenticate with a local user and am told that the user is not in a group (like it was being rejected by TACACS).
I can achieve the end goal as stated above with the following command line instead:
aaa authentication login vtymethod local group tacacs+
So that it checks if the user is firstly available locally first... it was ALWAYS my understanding that putting it last would allow it to failover and would like TACACS to be checked first...
Any tips on where I am going wrong here?