Specifications
3-464
Cisco Wide Area Application Services Command Reference
OL-21611-01
Chapter 3 CLI Commands
(config) authentication fail-over
(config) authentication fail-over
To specify authentication failover if the primary authentication server is unreachable, use the
authentication fail-over global configuration mode command. To disable this feature, use the no form
of this command.
authentication fail-over server-unreachable
no authentication fail-over server-unreachable
Syntax Description
Defaults This feature is disabled by default. This means that the WAAS device tries the other authentication
methods if the primary method fails for any reason, not just if the server is unreachable.
Command Modes global configuration
Device Modes application-accelerator
central-manager
Usage Guidelines The authentication command configures both the authentication and authorization methods that govern
login and configuration access to the WAAS device.
Note We strongly recommend that you use the WAAS Central Manager GUI instead of the WAAS CLI to
configure administrative login authentication and authorization for your WAAS devices, if possible. For
information about how to use the WAAS Central Manager GUI to centrally configure administrative
login authentication and authorization on a single WAE or group of WAEs, which are registered with a
WAAS Central Manager, see the Cisco Wide Area Application Services Configuration Guide.
The authentication fail-over server-unreachable global configuration command allows you to specify
that a failover to the secondary authentication method should occur only if the primary authentication
server is unreachable. This feature ensures that users gain access to the WAAS device using the local
database only when remote authentication servers (TACACS+ or RADIUS) are unreachable. For
example, when a TACACS+ server is enabled for authentication with a user authentication failover
configured and the user tries to log in to the WAAS device using an account defined in the local database,
login fails. Login succeeds only when the TACACS+ server is unreachable.
You can configure multiple TACACS+ or RADIUS servers; authentication is attempted on the primary
server first. If the primary server is unreachable, then authentication is attempted on the other servers in
the TACACS+ or RADIUS farm, in order. If authentication fails for any reason other than a server is
unreachable, authentication is not attempted on the other servers in the farm. This process applies
regardless of the setting of the authentication fail-over server-unreachable command.
fail-over
server-unreachable
Specifies that the WAAS device is to query the secondary authentication
database only if the primary authentication server is unreachable.