nerdexam
Cisco

350-401 · Question #1061

An engineer must configure router R1 to validate user logins via RADIUS and fall back to the local user database if the RADIUS server is not available. Which configuration must be applied?

The correct answer is A. aaa authentication exec default radius local. To configure router R1 for RADIUS authentication with a local user database fallback for user logins, the aaa authentication exec default radius local command must be applied.

Submitted by jakub_pl· Mar 6, 2026

Question

An engineer must configure router R1 to validate user logins via RADIUS and fall back to the local user database if the RADIUS server is not available. Which configuration must be applied?

Options

  • Aaaa authentication exec default radius local
  • Baaa authentication exec default radius
  • Caaa authorization exec default radius local
  • Daaa authorization exec default radius

How the community answered

(24 responses)
  • A
    75% (18)
  • B
    17% (4)
  • C
    4% (1)
  • D
    4% (1)

Why each option

To configure router R1 for RADIUS authentication with a local user database fallback for user logins, the `aaa authentication exec default radius local` command must be applied.

Aaaa authentication exec default radius localCorrect

The `aaa authentication exec default` command specifies the authentication method list for accessing the EXEC shell. `radius` is configured as the primary method, causing the router to attempt authentication against the RADIUS server first. `local` is the fallback method, ensuring that if the RADIUS server is unreachable, the router will then authenticate against its locally configured user database, fulfilling the requirement.

Baaa authentication exec default radius

This command specifies RADIUS as the only authentication method and does not include a fallback mechanism to the local user database, meaning user logins would fail if the RADIUS server is unavailable.

Caaa authorization exec default radius local

This command configures `authorization`, which determines what a user can do after authentication, rather than `authentication`, which verifies the user's identity during login.

Daaa authorization exec default radius

This command configures `authorization` instead of `authentication`, and it also lacks the necessary fallback to the local user database, making it incorrect for the stated requirement.

Concept tested: Cisco IOS AAA authentication fallback (local)

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3s/sec-usr-aaa-xe-3s-book/sec-usr-aaa-methods.html

Topics

#AAA authentication#RADIUS authentication#Local authentication#Authentication fallback

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice