Network ServicesCCNA 200-301

TACACS+ Server Down — Falling Back to RADIUS Properly

Presenting Symptom

Users in the branch office can authenticate for network access, but administrative login to network devices fails intermittently.

Network Context

A small branch office with a Cisco Catalyst 9300 switch (IOS XE 17.3) and a Cisco ISR 1100 router. The network uses TACACS+ as the primary AAA protocol for device administration, with RADIUS configured as a fallback for network access (802.1X). The AAA server is a single Cisco ISE node (TACACS+ and RADIUS services). The branch connects to the corporate HQ via a WAN link.

Diagnostic Steps

Check AAA server reachability

ping 192.168.1.100

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

If ping fails, the server is unreachable (network issue). If ping succeeds, the problem is likely at the application layer (TACACS+ vs RADIUS).

Verify TACACS+ server configuration

show running-config | section tacacs

tacacs server ISE
 address ipv4 192.168.1.100
 key cisco123
!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+

Ensure TACACS+ server is defined with correct IP and key. If missing, authentication will fall back to local or fail.

Check TACACS+ authentication attempts

debug tacacs

TAC+: Opening TCP/IP connection to 192.168.1.100/49
TAC+: Connection timed out
TAC+: Trying next server (if any)
TAC+: Falling back to local authentication

If you see 'Connection timed out', TACACS+ server is not responding on TCP 49. The device falls back to local authentication (if configured). If fallback to RADIUS is desired, it must be explicitly configured.

Check RADIUS server configuration

show running-config | section radius

radius server ISE
 address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
 key cisco123
!
aaa authentication login default group radius local
aaa authorization exec default group radius local

If RADIUS is configured for authentication but TACACS+ is primary, the device will not automatically fall back to RADIUS for admin login because TACACS+ and RADIUS are separate methods. The 'aaa authentication login default' line must include both groups.

Check AAA method lists for login

show running-config | include aaa authentication login

aaa authentication login default group tacacs+ local

The default method list only uses TACACS+ then local. RADIUS is not included. To fall back to RADIUS, the method list should be 'group tacacs+ group radius local'.

Root Cause

The AAA authentication method list for login only includes TACACS+ and local authentication. When the TACACS+ server is down, the device falls back to local authentication (which may not have the admin's credentials), but does not attempt RADIUS. The network engineer expected RADIUS to be used as a backup for TACACS+, but the method list was not configured to include RADIUS as a fallback.

Resolution

Configure the AAA authentication method list to include RADIUS as a fallback after TACACS+. Commands: configure terminal aaa authentication login default group tacacs+ group radius local exit write memory Explanation: This modifies the default login authentication method list to first try TACACS+, then RADIUS, then local authentication. Ensure RADIUS server is configured with the same key and reachable.

Verification

Run 'show running-config | include aaa authentication login' to confirm the method list is updated. Expected output: 'aaa authentication login default group tacacs+ group radius local' Then test by simulating TACACS+ failure (e.g., block TCP 49) and attempt SSH login. The device should authenticate via RADIUS. Check debug tacacs and debug radius to see fallback.

Prevention

1. Always configure multiple AAA servers (primary and secondary) for redundancy. 2. Use method lists that include all available server groups (TACACS+, RADIUS, local) in the desired order. 3. Regularly test AAA failover scenarios to ensure fallback works as expected.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions about AAA authentication. The exam tests understanding of how method lists work and the difference between TACACS+ and RADIUS. A common question format is a drag-and-drop to order the authentication methods correctly, or a multiple-choice question asking what happens when the primary server is unreachable. Key fact: The order of methods in the method list determines the fallback sequence.

Exam Tips

Remember that TACACS+ uses TCP port 49, RADIUS uses UDP ports 1812/1813.

The 'aaa authentication login default group tacacs+ group radius local' command tries TACACS+ first, then RADIUS, then local. If local is omitted and both servers are down, authentication fails.

Know that 'debug tacacs' and 'debug radius' are useful for troubleshooting AAA fallback, but be cautious in production.

Commands Used in This Scenario

aaa authentication login default group radius local

Configures AAA authentication for login using a RADIUS server group as the primary method, falling back to local authentication if the RADIUS server is unreachable.

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions