Users can access device without authentication if TACACS+ is used to authenticate users and no tacacs-server host configured.
vulners.com/securityvulns/securityvulns:doc:11447