Troubleshooting guide
1-27
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
You can configure multiple TACACS+ or RADIUS servers; authentication is attempted on the primary
server first. If the primary server is unreachable, then authentication is attempted on the other servers in
the TACACS+ or RADIUS farm, in order. If authentication fails for any reason other than a server is
unreachable, authentication is not attempted on the other servers in the farm. This process applies
regardless of the setting of the Failover to next available authentication method check box.
Note To use the login authentication failover feature, you must set TACACS+, RADIUS, or Windows
domain as the primary login authentication method, and local as the secondary login
authentication method.
If the failover to next available authentication method option is enabled, follow these guidelines:
• You can configure only two login authentication schemes (a primary and secondary scheme) on the
WAAS device.
• Note that the WAAS device (or the devices in the device group) fails over from the primary
authentication scheme to the secondary authentication scheme only if the specified authentication
server is unreachable.
• Configure the local database scheme as the secondary scheme for both authentication and
authorization (configuration).
For example, if the failover to next available authentication method option is enabled and RADIUS is
set as the primary login authentication scheme and local is set as the secondary login authentication
scheme, the following events occur:
1. When the WAAS device (or the devices in the device group) receives an administrative login request,
it queries the external RADIUS authentication server.
2. One of the following occurs:
a. If the RADIUS server is reachable, the WAAS device (or the devices in the device group) uses
this RADIUS database to authenticate the administrator.
b. If the RADIUS server is not reachable, the WAAS device (or the devices in the device group)
tries the secondary authentication scheme (that is, it queries its local authentication database)
to authenticate the administrator.
Note The local database is contacted for authentication only if this RADIUS server is not available.
In any other situation (for example, if the authentication fails in the RADIUS server), the local
database is not contacted for authentication.
Conversely, if the failover to next available authentication method option is disabled, then the WAAS
device (or the devices in the device group) contacts the secondary authentication database regardless of
the reason why the authentication failed with the primary authentication database.
If all the authentication databases are enabled for use, then all the databases are queried in the order of
priority selected and based on the failover reason. If no failover reason is specified, then all the databases
are queried in the order of their priority. For example, first the primary authentication database is
queried, then the secondary authentication database is queried, then the tertiary database is queried, and
finally the quaternary authentication database is queried.
To specify the login authentication and authorization scheme for a WAAS device or device group, follow
these steps: