Current versions of configurations are not fully correct which leads to needless calls to authentication servers and slowing down command execution.
https://github.com/vyos/vyos-1x/blob/4a51fb08e73d259bab87e154f99fb5c3e85fbc46/src/pam-configs/tacplus
https://github.com/vyos/vyos-1x/blob/4a51fb08e73d259bab87e154f99fb5c3e85fbc46/src/pam-configs/radius
We need to:
- Make each type of authentication self-sufficient (ensure that it does not conflict with others, to avoid extra calls to RADIUS/TACACS+ servers).
- Add a new CLI fallback option to control authentication policy - if the authentication source can be skipped in case of failed authentication (_not failed communication_) or we need to fail immediately and avoid skipping to other authentication sources.
- Add a new CLI option to define authentication order (local, RADIUS, TACACS+).