300-410 Question #47: Real Exam Question with Answer & Explanation

Question

Refer to the exhibit. Why is user authentication being rejected?

Options

• AThe TACACS+ server expects "user" but the NT client sends "domain\user"
• BThe TACACS+ server refuses the user because the user is set up for CHAP
• CThe TACACS+ server is down and the user is in the local database
• DThe TACACS+ server is down and the user is not in the local database

Explanation

User authentication is being rejected because the TACACS+ server is unreachable, and the router cannot find the user's credentials in its local fallback database.

Common mistakes.

• A. While username format mismatches can cause authentication issues, the primary reason for rejection when the TACACS+ server is down is its unavailability and the lack of a successful fallback.
• B. TACACS+ servers support various authentication methods, including CHAP, so a user configured for CHAP would not be inherently refused unless there's a misconfiguration in the server or client, or the server is unreachable.
• C. If the TACACS+ server is down but the user is present in the local database, local authentication should succeed, not be rejected.

Concept tested. TACACS+ fallback authentication

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radtac/configuration/xe-3s/sec-rad-tac-xe-3s-book/sec-rad-tac-fallback.html

No community discussion yet for this question.