If, for whatever reason, RADIUS or TACACS+ servers are unable to provide authentication and authorization responses, network
users and administrators can be locked out of the network. The profile caching feature allows usernames to be authorized without
having to complete the authentication phase. For example, a user by the name user100@example.com with the password secretpassword1 can be stored in a profile cache using the regular expression .*@example.com. Another user by the name user101@example.com with the password secretpassword2 can also be stored using the same regular expression, and so on. Because the number of users in the .*@example.com profile
could run into thousands, it is not feasible to authenticate each user with their personal password. Therefore, authentication
is disabled, and each user simply accesses authorization profiles from a common Access Response stored in the cache.
The same reasoning applies to cases involving higher-end security mechanisms, such as Extensible Authentication Protocol (EAP),
which utilize an encrypted password for communication between the client and the AAA offload server. To allow these unique
secure username and password profiles to retrieve their authorization profiles, authentication is bypassed.
To take advantage of this failover capability, you need to configure the authentication and authorization method list so
that the cache server group is queried last when a user attempts to authenticate to the device. See Method Lists in Authorization and Authentication Profile Caching section for more information.