...
TACACS+/RADIUS server is reachable and TACACS+/RADIUS service is configured | TACACS+/RADIUS server is unreachable or TACACS+/RADIUS service is not configured | |
Console Login | Allow to login only if pass authentication form TACACS+ server. After successful login, if the TACACS+ server goes down, the user will be logged out and asked to re-log in. | Generate a syslog and fallback to local authentication. Allow to login if pass local authentication. After successful login, local authorization will be performed. |
Network (INTERFACE/VLAN/MGMT Port/INBAND) Login | By default, generate a syslog and do nothing else. User can configure to enable local authentication fallback function to fallback to local authentication and authorization in this case. For details about local authentication fallback function, see /wiki/spaces/PicOS44sp/pages/4294451 set system aaa local-auth-fallback disable. |
Console Login:
- If the TACACS+/RADIUS server is reachable and the TACACS+/RADIUS service is configured, the system uses TACACS/RADIUS server for authentication. Access will be denied on failure. After successful login, if the TACACS+ server goes down, the user will be logged out and asked to re-log in.
...
- If the TACACS+/RADIUS server is unreachable or the TACACS+/RADIUS service is not available, by default, the system generates a syslog and does nothing else. However, user can configure local authentication fallback function to perform local authentication and authorization. For details about local authentication fallback function, see /wiki/spaces/PicOS44sp/pages/4294451 set system aaa local-auth-fallback disable.
User Level Mapping
If users login to PICOS via TACACS+/RADIUS, PICOS will not create new users in Linux platform. There is a mapping relationship between user level configured on AAA server and PICOS local user. The following table lists the mapping relationship between TACACS+ user and local user.
...