This section looks into some of the important issues for improving performance and avoiding a lockout situation. The following is a list of some good practices to achieve this:
Always configure Fall Back Authentication Method so that you can avoid a lockout situation if the authentication server is unavailable.
Save the good running configuration of the router to NVRAM with the write memory command before starting AAA configuration. Once AAA is configured, make sure it works as expected before writing it into NVRAM. This way, you can reload the router if you are locked out due to misconfiguration.
Unless it is absolutely needed, do not configure authorization for the console. Also, try to avoid authentication for your console with the authentication server, rather than configuring local user databases.
Unless you have multiple AAA servers, and you have a network latency issue, do not increase the timeout for the AAA server from the default 5 seconds to a higher number.
Avoid sending AAA requests over wide-area network (WAN) links, or slow links unless it is required, because this may slow down the performance.
Source the RADIUS/TACACS+ packets from a specific interface, so that the AAA server always trusts the NAS because the packet will always be sourcing from one interface. Using a loop back interface is preferred because that provides high availability.
Configure dead-time for RADIUS to improve the performance, if you have a backup RADIUS Server configured.