5.1.d Describe device security using IOS AAA with TACACS+ and RADIUS

5.1.d [ii] Local privilege authorization fallback

The local database can act as a fallback method for several functions. This behavior is designed to help prevent accidental lockout . For users who need fallback support, it is recommended that their usernames and passwords in the local database match their usernames and passwords in the AAA servers. This provides transparent fallback support. Because the user cannot determine whether a AAA server or the local database is providing the service, using usernames and passwords on AAA servers that are different than the usernames and passwords in the local database means that the user cannot be certain which username and password should be given.

The local database supports the following fallback functions:

● Console and enable password authentication—When you use the aaa authentication console command, you can add the LOCAL keyword after the AAA server group tag. If the servers in the group all are unavailable, the security appliance uses the local database to authenticate administrative access. This can include enable password authentication, too.

● Command authorization—When you use the aaa authorization command command, you can add the LOCAL keyword after the AAA server group tag. If the TACACS + servers in the group all are unavailable, the local database is used to authorize commands based on privilege levels.

● VPN authentication and authorization—VPN authentication and authorization are supported to enable remote access to the security appliance if AAA servers that normally support these VPN services are unavailable. The authentication-server-group command , available in tunnel-group general attributes mode, lets you specify the LOCAL keyword when you are configuring attributes of a tunnel group. When VPN client of an administrator specifies a tunnel group configured to fallback to the local database, the VPN tunnel can be established even if the AAA server group is unavailable, provided that the local database is configured with the necessary attributes.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5123-5133).  . Kindle Edition.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960xr/software/15.0_2_EX1/security/configuration_guide/b_sec_152ex1_2960-xr_chapter_0111.html