If, for whatever reason, RADIUS or TACACS+ servers are unable to provide authentication and authorization responses, network
users and administrators can be locked out of the network. The profile caching feature allows usernames to be authorized without
having to complete the authentication phase. For example, a user by the name user100@example.com with the password secretpassword1 can be stored in a profile cache using the regular expression .*@example.com. Another user by the name user101@example.com with the password secretpassword2 can also be stored using the same regular expression, and so on. Because the number of users in the .*@example.com profile
could run into thousands, it is not feasible to authenticate each user with their personal password. Therefore, authentication
is disabled, and each user simply accesses authorization profiles from a common Access Response stored in the cache.
The same reasoning applies in cases where higher-end security mechanisms such as Challenge Handshake Authentication Protocol
(CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), or Extensible Authentication Protocol (EAP), which
use an encrypted password between a client and AAA offload server. To allow these unique secure username and password profiles
to retrieve their authorization profiles, authentication is bypassed.
To take advantage of this failover capability, you need to configure the authentication and authorization method list so
that the cache server group is queried last when a user attempts to authenticate to the device. See Method Lists in Authorization and Authentication Profile Caching section for more information.