So the link you probably found refers to AOS, which is used by the wireless controllers.
I've found that in AOS-CX, you need that command in order to tell the switch to check the second configured option. (I'm not really sure why, since that seems backwards from how every other vendor/other Aruba products do it, but I've just accepted it and added it to my template)
If you look in the AOS-CX security guide, you can find this little blurp
Enables authentication fail-through. When this option is enabled, the next server/authentication method is tried after an authentication failure.
The no
form of this command disables authentication fail-through. If the system fails to authenticate with a reachable TACACS+ or RADIUS server, the system does not attempt to authenticate with the next TACACS+/RADIUS server.
------------------------------
Christopher Wickline
------------------------------
Original Message:
Sent: May 05, 2021 09:29 AM
From: stever robichaud
Subject: Aruba 6100 Running CX And TACACS
Thanks for the response.
Yes that worked, but I am a bit confused. On the website it states. I know in Cisco you just put local at the end.
Note: If the databases for both the servers are identical, then there is no point in configuring 'allow-fail-through'. It can even delay authentication time if "allow-fail-through" is checked and all servers point to the same database.
------------------------------
stever
Original Message:
Sent: May 04, 2021 03:26 PM
From: Christopher Wickline
Subject: Aruba 6100 Running CX And TACACS
Try and add this command and see if it makes any difference for you
aaa authentication allow-fail-through
------------------------------
Christopher Wickline
Original Message:
Sent: May 04, 2021 09:17 AM
From: stever robichaud
Subject: Aruba 6100 Running CX And TACACS
I am having a problem with my TACACS config and need some help.
I want to be able to login locally on the console when the TACACS servers are unavailable but I am having problems
My config is the following
aaa authentication login console group TACACS local
aaa authentication login ssh group TACACS local
aaa authorization commands console group TACACS local
aaa authorization commands ssh group TACACS local
aaa accounting all-mgmt https-server start-stop group TACACS local
aaa accounting all-mgmt ssh start-stop group TACACS local
aaa accounting port-access start-stop group CLEARPASS
I can login when the Tacacs servers are available but when I unplug the network I cannot login locally using my local account I created on the switch..
Thanks
------------------------------
stever robichaud
------------------------------