nerdexam
Cisco

350-401 · Question #1265

Refer to the exhibit. Which configuration must be applied for the TACACS+ server to grant access-level rights to remote users?

The correct answer is C. R1 (config)# aaa authorization exec default group tacacs+. To control the access level and commands a remote user can execute via TACACS+, authorization must be configured.

Submitted by yaw92· Mar 6, 2026Security

Question

Refer to the exhibit. Which configuration must be applied for the TACACS+ server to grant access-level rights to remote users?

Exhibits

350-401 question #1265 exhibit 1
350-401 question #1265 exhibit 2

Options

  • AR1(config)# aaa accounting commands 15 default start-stop group tacacs+
  • BR1 (config)# aaa authentication login enable
  • CR1 (config)# aaa authorization exec default group tacacs+
  • DR1 (config)# aaa authorization exec default local if-authenticated

How the community answered

(25 responses)
  • A
    8% (2)
  • B
    4% (1)
  • C
    76% (19)
  • D
    12% (3)

Why each option

To control the access level and commands a remote user can execute via TACACS+, authorization must be configured.

AR1(config)# aaa accounting commands 15 default start-stop group tacacs+

The `aaa accounting commands 15 default start-stop group tacacs+` command is used for logging the commands executed by users to the TACACS+ server, not for authorizing or granting specific access-level rights.

BR1 (config)# aaa authentication login enable

The `aaa authentication login enable` command configures authentication for entering enable mode, but it does not define the access-level rights or authorized commands for a user after they have logged in.

CR1 (config)# aaa authorization exec default group tacacs+Correct

The command `aaa authorization exec default group tacacs+` configures the router to use the TACACS+ server for authorizing user access to the EXEC shell. This allows the TACACS+ server to define what privilege level or specific commands an authenticated remote user is permitted to execute, thereby granting access-level rights.

DR1 (config)# aaa authorization exec default local if-authenticated

The `aaa authorization exec default local if-authenticated` command instructs the router to use its local user database for EXEC authorization if the user has been successfully authenticated, rather than consulting a TACACS+ server for authorization.

Concept tested: TACACS+ AAA authorization for EXEC shell

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-mt/sec-usr-aaa-15-mt-book/sec-authz-cfg.html

Topics

#TACACS+#AAA authorization#exec authorization#privilege level

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice