350-401 Question #129: Real Exam Question with Answer & Explanation

Question

Which two statements about AAA authentication are true? (Choose two)

Options

• ARADIUS authentication queries the router's local username database.
• BTACASCS+ authentication uses an RSA server to authenticate users.
• CLocal user names are case-insensitive.
• DLocal authentication is maintained on the router.
• EKRB5 authentication disables user access when an incorrect password is entered.

Explanation

Local AAA authentication uses credentials stored on the device itself, while Kerberos authentication can enforce account lockout policies as part of its security framework.

Common mistakes.

• A. RADIUS authentication queries an external RADIUS server for user credentials, not the router's local username database.
• B. TACACS+ authentication relies on a dedicated TACACS+ server to validate user credentials, not specifically an RSA server, although an RSA SecurID system could be used as a backend authentication source for a TACACS+ server.
• C. On Cisco IOS devices, local usernames are typically case-sensitive, meaning that 'Admin' and 'admin' are treated as distinct accounts.

Concept tested. AAA authentication methods and features

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-16/sec-usr-aaa-xe-16-book/sec-cfg-aaa-locl.html

No community discussion yet for this question.