07-05-2009 09:19 PM
Am I correct about this? If so, isn't that kind of backwards? Usually a system will go to its AAA server first for user authentication, then only if those systems are unavailable will they fall back to local user.
07-07-2009 09:59 AM
The main reason we did this was for performance for people using local accounts with TACACS+ accounts.
Do you need it to be done the other way (check AAA server first, then local DB)?
07-07-2009 10:36 AM
07-09-2009 11:37 AM
RADIUS and TACACS+ auth is also optionally cached for some period of time (the AMP User Authorization Lifetime on AMP Setup > General) for performance reasons. You can turn off this caching, but every hit to the AWMS web server will result in a hit on your TACACS+ server, which may slow things down.
The support team can help you patch your AMP to change the priority. It involves moving some apache directives around.