You are right. I think I just didn't wait long enough. Now when VPN is not connected, after some 10s of seconds I see
==
adclient[21957]: INFO <fd:23 PAMVerifyPassword2 > daemon.ipcclient System is in disconnected mode, user option PREFER_AD_LOGIN is ignored and try cache auth first.
==
in auth.log
and it uses the cached credentials.
I will close this thread and if there is anything else, will open a new one.
Thanks again,
Vikram