TACACS+ does not support the following features:
Point-to-Point Protocol (PPP) authentication and accounting
IPv6 for TACACS+
S/KEY (One Time Password) authentication
PAP/CHAP/MSCHAP authentication methods
The FOLLOW response of a TACACS+ server, in which the AAA services are redirected to another server. The response is interpreted as an authentication failure.
User capability to change passwords at runtime over the network. The system administrator must change user passwords locally, on the server.
TACACS+ command authorization when the user accesses the switch through EDM and SNMP.
Restriction of command authorization for a specific kind of access. After you enable command authorization, command authorization applies for Telnet, SSH, and serial-port access. You cannot restrict command authorization to just one kind of access.
If a user is TACACS+ authenticated and command authorization is enabled for that level, then if the switch cannot reach the TACACS+ server, the switch does not permit the user to execute any command that has privilege level command authorization enabled.