350-401 Question #1265: Real Exam Question with Answer & Explanation

Question

Refer to the exhibit. Which configuration must be applied for the TACACS+ server to grant access-level rights to remote users?

Options

• AR1(config)# aaa accounting commands 15 default start-stop group tacacs+
• BR1 (config)# aaa authentication login enable
• CR1 (config)# aaa authorization exec default group tacacs+
• DR1 (config)# aaa authorization exec default local if-authenticated

Explanation

To control the access level and commands a remote user can execute via TACACS+, authorization must be configured.

Common mistakes.

• A. The aaa accounting commands 15 default start-stop group tacacs+ command is used for logging the commands executed by users to the TACACS+ server, not for authorizing or granting specific access-level rights.
• B. The aaa authentication login enable command configures authentication for entering enable mode, but it does not define the access-level rights or authorized commands for a user after they have logged in.
• D. The aaa authorization exec default local if-authenticated command instructs the router to use its local user database for EXEC authorization if the user has been successfully authenticated, rather than consulting a TACACS+ server for authorization.

Concept tested. TACACS+ AAA authorization for EXEC shell

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-mt/sec-usr-aaa-15-mt-book/sec-authz-cfg.html

No community discussion yet for this question.