nerdexam
Cisco

350-401 · Question #129

Which two statements about AAA authentication are true? (Choose two)

The correct answer is D. Local authentication is maintained on the router. E. KRB5 authentication disables user access when an incorrect password is entered.. Local AAA authentication uses credentials stored on the device itself, while Kerberos authentication can enforce account lockout policies as part of its security framework.

Submitted by krish.m· Mar 6, 2026Wireless LAN Security

Question

Which two statements about AAA authentication are true? (Choose two)

Options

  • ARADIUS authentication queries the router's local username database.
  • BTACASCS+ authentication uses an RSA server to authenticate users.
  • CLocal user names are case-insensitive.
  • DLocal authentication is maintained on the router.
  • EKRB5 authentication disables user access when an incorrect password is entered.

How the community answered

(34 responses)
  • A
    3% (1)
  • B
    3% (1)
  • C
    6% (2)
  • D
    88% (30)

Why each option

Local AAA authentication uses credentials stored on the device itself, while Kerberos authentication can enforce account lockout policies as part of its security framework.

ARADIUS authentication queries the router's local username database.

RADIUS authentication queries an external RADIUS server for user credentials, not the router's local username database.

BTACASCS+ authentication uses an RSA server to authenticate users.

TACACS+ authentication relies on a dedicated TACACS+ server to validate user credentials, not specifically an RSA server, although an RSA SecurID system could be used as a backend authentication source for a TACACS+ server.

CLocal user names are case-insensitive.

On Cisco IOS devices, local usernames are typically case-sensitive, meaning that 'Admin' and 'admin' are treated as distinct accounts.

DLocal authentication is maintained on the router.Correct

When local authentication is configured on a router, the device utilizes an internal database of usernames and passwords stored directly on its persistent memory to verify user credentials. This provides a self-contained authentication method independent of external servers.

EKRB5 authentication disables user access when an incorrect password is entered.Correct

Kerberos (KRB5) authentication systems are designed to integrate with directory services that enforce robust security policies, including account lockout mechanisms. These policies disable user accounts or prevent further login attempts for a specified duration after a configurable number of incorrect password entries, thereby enhancing security.

Concept tested: AAA authentication methods and features

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-16/sec-usr-aaa-xe-16-book/sec-cfg-aaa-locl.html

Topics

#AAA#RADIUS#TACACS+#local authentication

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice