The following steps explain the authentication and authorization process:
1. When you try to log in to the Cisco MDS 9000 Series Switches using the Telnet, SSH, DCNM or Device Manager, or console login options, the authentication process starts.
2. After you have configured server groups using the server group authentication method, an authentication request is sent to the first AAA server in the group.
If the AAA server fails to respond, the next AAA server is contacted and so on until the remote server responds to the authentication request.
If all AAA servers in the server group fail to respond, the servers in the next server group are contacted.
If all configured methods fail, by default, the local database is used for authentication.
3. When you are successfully authenticated through a remote AAA server, the following possible actions are taken:
If the AAA server protocol is RADIUS, user roles specified in the cisco-av-pair attribute are downloaded with an authentication response.
If the AAA server protocol is TACACS+, another request is sent to the same server to get the user roles specified as custom attributes for the shell.
If user roles are not successfully retrieved from the remote AAA server, the user is assigned the network-operator role if the aaa user default-role command is enabled. You are denied access if this command is disabled.
4. When your username and password are successfully authenticated locally, you are allowed to log in, and you are assigned the roles configured in the local database.
Figure 20-2 shows a flow chart of the authorization and authentication process for RADIUS remote AAA service.
Figure 20-2 Switch Authentication and Authorization Flow for RADIUS Remote AAA Service
You can enable or disable fallback to a local database in case the remote authentication is set and all AAA servers are unreachable (authentication error). The fallback is set to local by default in case of an authentication error. You can disable this fallback for both console and ssh/telnet login. Disabling this fallback will tighten the security of authentication.