nerdexam
Cisco

300-620 · Question #154

A network administrator configures AAA inside the Cisco ACI fabric. The authentication goes through the local users if the TACACS+ server is not reachable. If the Cisco APIC is out of the cluster, the

The correct answer is D. Ping Check: False. To enable local authentication if TACACS+ is unreachable and grant access via the fallback domain when the APIC is out of cluster, the Ping Check for the remote authentication server should be set to False.

ACI Management

Question

A network administrator configures AAA inside the Cisco ACI fabric. The authentication goes through the local users if the TACACS+ server is not reachable. If the Cisco APIC is out of the cluster, the access must be granted through the fallback domain. Which configuration set meets these requirements?

Options

  • APing Check: True
  • BPing Check: True
  • CPing Check: False
  • DPing Check: False

How the community answered

(42 responses)
  • A
    10% (4)
  • B
    2% (1)
  • C
    5% (2)
  • D
    83% (35)

Why each option

To enable local authentication if TACACS+ is unreachable and grant access via the fallback domain when the APIC is out of cluster, the Ping Check for the remote authentication server should be set to False.

APing Check: True

`Ping Check: True` means the APIC proactively pings the TACACS+ server, and if the APIC itself is 'out of the cluster' and experiencing network issues, the ping might fail even if the TACACS+ server is up, leading to a potentially premature or incorrect fallback.

BPing Check: True

`Ping Check: True` means the APIC proactively pings the TACACS+ server, and if the APIC itself is 'out of the cluster' and experiencing network issues, the ping might fail even if the TACACS+ server is up, leading to a potentially premature or incorrect fallback.

CPing Check: False

This option is identical to the correct answer option D in the provided choices.

DPing Check: FalseCorrect

Setting `Ping Check: False` ensures that the APIC attempts a full authentication with the TACACS+ server, even if the APIC's own cluster health is compromised ('out of the cluster'). If the authentication attempt fails due to actual server unreachability or the APIC's inability to process the request due to its degraded state, the authentication sequence proceeds to local users. This approach also allows the specific ACI 'fallback domain' feature for cluster-critical situations to correctly provide access, as it relies on definitive authentication failures rather than potentially misleading ping failures caused by a sick APIC.

Concept tested: ACI AAA, remote authentication fallback, APIC cluster fallback

Source: https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/5x/security-config/cisco-aci-security-config-guide-50/m-aaa-authentication.html

Topics

#AAA#TACACS+#local users#fallback domain

Community Discussion

No community discussion yet for this question.

Full 300-620 Practice