If, for whatever reason, RADIUS or TACACS+ servers are unable to provide authentication and authorization responses, network
users and administrators can be locked out of the network. The profile caching feature allows usernames to be authorized without
having to complete the authentication phase. For example, a user by the name of email@example.com with a password secretpassword1
could be stored in a profile cache using the regular expression “.*@example.com”. Another user by the name of firstname.lastname@example.org
with a password of secretpassword2 could also be stored using the same regular expression, and so on. Because the number of
users in the “.*@example.com” profile could number in the thousands, it is not feasible to authenticate each user with their
personal password. Therefore authentication is disabled and each user simply accesses authorization profiles from a common
Access Response stored in cache.
The same reasoning applies in cases where higher end security mechanisms such as Challenge Handshake Authentication Protocol
(CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), or Extensible Authentication Protocol (EAP), which
all use an encrypted password between the client and AAA offload server, are used. To allow these unique, secure username
and password profiles to retrieve their authorization profiles, authentication is bypassed.
To take advantage of this failover capability, you need to configure the authentication and authorization method list so
that the cache server group is queried last when a user attempts to authenticate to the router. See the Method Lists in Authorization
and Authentication Profile Caching section for more information.