When configuring AAA on a device, pay attention to the following points:
- TACACS+ and RADIUS cannot be used at the same time. If both TACACS+ and RADIUS are enabled, then TACACS+ is valid but RADIUS is invalid.
- Users authenticate with the AAA server to gain access to the NAS server when AAA function is enabled. Make sure that the communication between the NAS server and AAA server works well.
- If the same accounts of admin/root/operator are used in conjunction with TACACS, TACACS authorization will be ignored and the local account policy will take precedence.
- For redundancy management of AAA server, multiple remote AAA servers can be configured at the same time. Only one server can be used at the same time. However, there are a few differences between TACACS + and RADIUS validation.
- If user validation on one TACACS+ server fails, it will switch to the other reachable TACACS+ servers for validation automatically.
- Only one RADIUS server with the smallest IP address will be used for user validation, if user validation on one RADIUS server fails, it will not use the other reachable RADIUS servers for validation.
- When the AAA server is unreachable, users who have logged in successfully will quit CLI interface and fallback to Linux shell when they execute the CLI command that needs to be authorized.
If the value of the shared key is different from that of the TACACS+/RADIUS server,
- For RADIUS, it is considered that the RADIUS server is unreachable.
- For TACACS+, it is considered that the TACACS+ server is reachable but the authentication failed.
When resetting any AAA radius / TACACS + configuration, the new setting takes effect only for the subsequent users who log in to the CLI. For example, change the IP of the current TACACS+ server.
Note that：For online users who have already passed AAA Authentication and successfully logged in are not affected by the resetting configurations. If the user logs out and then logs in again, the system will use the new configurations for AAA Authentication.