Home
Support
Product Support
Routers
Cisco SD-WAN
Configuration Guides

Cisco Catalyst SD-WAN User Management Guide, Releases 26.x and Later

What is the default authentication order on a Cisco IOS XE Catalyst SD-WAN device?
How many SSH RSA keys can a single user store on a device?
What information must you obtain from the Duo Admin Panel to configure Duo MFA?

View all Saved Content

PDF

Is this content helpful?

Helpful Unhelpful

Suggestions for Improvement

Thank you for your feedback. Your response has been recorded.

Ask about this content

Cisco Catalyst SD-WAN User Management Guide, Releases 26.x and Later

What is the default authentication order on a Cisco IOS XE Catalyst SD-WAN device?
How many SSH RSA keys can a single user store on a device?
What information must you obtain from the Duo Admin Panel to configure Duo MFA?

Expand all sections

About this content

Users and Access

Users and access
Account lockout
User sessions
Ciscotac user access

Password Management

Hardened passwords
Type 6 passwords

Authentication

Authentication
Authentication order
Authentication fallback mechanism
Duo Multi-factor authentication
RADIUS authentication
SSH authentication
IEEE 802.1X authentication
Authentication, Authorization, and Accounting
Posture assessment support

Role-Based Access Control

Role-Based Access Control
Restrictions for configuring RBAC
RBAC by VPN
RBAC with AAA
User authorization rules for operational and configuration commands
RBAC by scope
Granular RBAC
RBAC for policies
Configure RBAC for CFlowd policy
Assigning roles to users defined by identity providers
Configure RBAC
Prerequisites for Application Catalog features
Manage user group permissions
Configure Users
Configure user sessions
Configure VPN segments
Configure VPN groups
Verify granular RBAC permissions
Monitor devices for VPN groups

Authentication fallback mechanism

Updated: April 24, 2026

Want to summarize with AI?

On this page

User group assignment after authentication

Outlines the authentication fallback mechanism, detailing how authentication order impacts fallback to secondary methods and describing user group assignment based on remote and local authentication outcomes.

You can configure authentication to fall back to a secondary or tertiary authentication mechanism when the higher-priority authentication method fails to authenticate a user, either because the user has entered invalid credentials or because the authentication server is unreachable (or all the servers are unreachable).

If the authentication order is configured as

radius local: With radius as the default authentication, local authentication is used only when all RADIUS servers are unreachable. If an authentication attempt via a RADIUS server fails, the user is not allowed to log in even if they have provided the correct credentials for local authentication.
local radius: With local as the default authentication, RADIUS authentication is tried when a username and matching password are not present in the running configuration on the local device.
radius tacacs local: With radius as the default authentication, TACACS+ is tried only when all RADIUS servers are unreachable, and local authentication is tried only when all TACACS+ servers are unreachable. If an authentication attempt via a RADIUS server fails, the user is not allowed to log in even if they have provided the correct credentials for the TACACS+ server. Similarly, if a TACACS+ server denies access, the user cannot log via local authentication.

User group assignment after authentication

After the remote server authenticates a user, it assigns the user to a user group:

If a remote server validates the authentication but does not specify a user group, it places the user in the basic user group.
If a remote server validates the authentication and specifies a user group (say, X), it assigns the user to that group only. However, if that user is also configured locally and belongs to a user group (for example, group Y), the user is assigned to both groups (X and Y).
If a remote server validates the authentication and the user is not configured locally, the system logs the user into the vshell as the basic user, with a home directory of /home/basic.
If a remote server validates the authentication and the user is configured locally, the system logs the user into the vshell under their local username (for example, "eve") with a home directory of /home/username (for example, /home/eve).

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.