Home
Support
Product Support
Routers
Cisco SD-WAN
Configuration Guides

Cisco Catalyst SD-WAN User Management Guide, Releases 26.x and Later

What is the default authentication order on a Cisco IOS XE Catalyst SD-WAN device?
How many SSH RSA keys can a single user store on a device?
What information must you obtain from the Duo Admin Panel to configure Duo MFA?

View all Saved Content

PDF

Is this content helpful?

Helpful Unhelpful

Suggestions for Improvement

Thank you for your feedback. Your response has been recorded.

Ask about this content

Cisco Catalyst SD-WAN User Management Guide, Releases 26.x and Later

What is the default authentication order on a Cisco IOS XE Catalyst SD-WAN device?
How many SSH RSA keys can a single user store on a device?
What information must you obtain from the Duo Admin Panel to configure Duo MFA?

Expand all sections

About this content

Users and Access

Users and access
Account lockout
User sessions
Ciscotac user access

Password Management

Hardened passwords
Type 6 passwords

Authentication

Authentication
Authentication order
Authentication fallback mechanism
Duo Multi-factor authentication
RADIUS authentication
SSH authentication
IEEE 802.1X authentication
Authentication, Authorization, and Accounting
Posture assessment support

Role-Based Access Control

Role-Based Access Control
Restrictions for configuring RBAC
RBAC by VPN
RBAC with AAA
User authorization rules for operational and configuration commands
RBAC by scope
Granular RBAC
RBAC for policies
Configure RBAC for CFlowd policy
Assigning roles to users defined by identity providers
Configure RBAC
Prerequisites for Application Catalog features
Manage user group permissions
Configure Users
Configure user sessions
Configure VPN segments
Configure VPN groups
Verify granular RBAC permissions
Monitor devices for VPN groups

Authentication order

Updated: April 24, 2026

Want to summarize with AI?

On this page

Default authentication order

Outlines how authentication order determines the sequence of authentication methods for SSH or console access, describes the default method order (local, radius, tacacs), and provides instructions for customizing the order using the auth-order command for admin users.

The authentication order is a configuration setting that

dictates the order in which authentication methods are tried when verifying user access to a Cisco IOS XE Catalyst SD-WAN device through an SSH session or a console port, and
provides a way to proceed with authentication if the current authentication method is unavailable.

Default authentication order

The default authentication order is local, followed by radius, and then tacacs. The default authentication order works as follows:

local: The authentication process checks for a username and passwords in the running configuration of the device.
radius: The authentication process uses a RADIUS server to validate credentials.
tacacs: The authentication process uses a TACACS+ server to validate credentials. For this method to work, you must configure one or more TACACS+ servers with the system tacacs server command. If a TACACS+ server is reachable, you are authenticated or denied access based on that server's TACACS+ database. If you have configured multiple TACACS+ servers, then the authentication process contacts one server, and if that server is not available, the process continues in sequence to the other servers. You are then authenticated or denied access based on one of the reachable TACACS+ servers.

If none of the authentication processes succeed, access to the device is denied.

You can use the auth-order command to modify the default authentication order. Specify one, two, or three authentication methods in the preferred order, starting with the one to be tried first. If you configure only one authentication method, it must be local.

To modify the authentication order for admin users, include the keyword admin in the preceding command, for e.g., admin-auth-order and then specify the authentication method(s).

If you do not include this command, the admin user is always authenticated locally.

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.