350-401 · Question #1265
Refer to the exhibit. Which configuration must be applied for the TACACS+ server to grant access-level rights to remote users?
The correct answer is C. R1 (config)# aaa authorization exec default group tacacs+. To control the access level and commands a remote user can execute via TACACS+, authorization must be configured.
Question
Exhibits
Options
- AR1(config)# aaa accounting commands 15 default start-stop group tacacs+
- BR1 (config)# aaa authentication login enable
- CR1 (config)# aaa authorization exec default group tacacs+
- DR1 (config)# aaa authorization exec default local if-authenticated
How the community answered
(25 responses)- A8% (2)
- B4% (1)
- C76% (19)
- D12% (3)
Why each option
To control the access level and commands a remote user can execute via TACACS+, authorization must be configured.
The `aaa accounting commands 15 default start-stop group tacacs+` command is used for logging the commands executed by users to the TACACS+ server, not for authorizing or granting specific access-level rights.
The `aaa authentication login enable` command configures authentication for entering enable mode, but it does not define the access-level rights or authorized commands for a user after they have logged in.
The command `aaa authorization exec default group tacacs+` configures the router to use the TACACS+ server for authorizing user access to the EXEC shell. This allows the TACACS+ server to define what privilege level or specific commands an authenticated remote user is permitted to execute, thereby granting access-level rights.
The `aaa authorization exec default local if-authenticated` command instructs the router to use its local user database for EXEC authorization if the user has been successfully authenticated, rather than consulting a TACACS+ server for authorization.
Concept tested: TACACS+ AAA authorization for EXEC shell
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-mt/sec-usr-aaa-15-mt-book/sec-authz-cfg.html
Topics
Community Discussion
No community discussion yet for this question.

