AAA - configuring a fallback method

When configuring AAA on a Cisco IOS device, it is possible to configure one or more methods of authentication in the event that the primary method fails. For example, it is possible to configure a router to use a RADIUS server as the primary method, and to use the local enable password as the fallback method.

The following command tells the router to use the default authentication list and all available RADIUS servers. When the RADIUS server is unavailable, we fall back to using a local enable password.

R1(config)#aaa authentication enable default group radius enable

What constitutes a failure? If authentication fails due to incorrect credentials with the primary method, the fallback method will NOT be tried. The fallback mechanism comes into effect only when the primary server is unreachable or unresponsive, not when authentication fails due to incorrect credentials.

This makes sense because if someone tries to log in using brute force and fail, you can consider them an illegitimate user. If you were legitimate, you would know the password. So you don’t want to give an illegitimate user that may continue their brute force attack a second chance to try to connect again.

So when a user provides incorrect credentials for the primary method, the device will return an authentication failure and will not proceed to try the fallback method.

The fallback is mainly intended to provide an alternative way to authenticate users when there’s an issue with the primary authentication server or method, not to give users multiple attempts to authenticate with different methods.

https://networklessons.com/cisco/ccna-200-301//aaa-authentication-on-cisco-ios