Dependency on authentication database order

There are four different authentication orders which can be configured per authentication method. These four orders are the following:
  • RADIUS
  • Local
  • RADIUS, Local
  • Local, RADIUS

For each authentication order, the end result is considered in deciding whether to authenticate the client through the authentication failure VLAN (Virtual LAN) or the authentication service unavailable VLAN (if configured).

For example, if the authentication order is radius, local, with the RADIUS server unavailable, and local authentication failed, the client is authenticated in the authentication failure VLAN (if one is configured on the port).

For local authentication, the following cases are considered as authentication failure.
  • If the user is not created in the local database.
  • If the user is configured, but the password does not match.

If the user is configured, but the password does not match, it is considered an authentication failure.

For RADIUS server authentication, if for some reason the user cannot be authenticated due to problems with the RADIUS configuration, the RADIUS server not running, or some other problem then it is considered as an authentication service unavailable. If the actual authentication fails then it is considered as an authentication failure.