350-401 Question #165: Real Exam Question with Answer & Explanation

Question

A network administrator applies the following configuration to an IOS device: aaa new-model aaa authentication login default local group tacacs+ What is the process of password checks when a login attempt is made to the device?

Options

• AA TACACS+server is checked first. If that check fail, a database is checked?
• BA TACACS+server is checked first. If that check fail, a RADIUS server is checked. If that check
• CA local database is checked first. If that fails, a TACACS+server is checked, if that check fails, a
• DA local database is checked first. If that check fails, a TACACS+server is checked.

Explanation

Explanation

Option D is correct because the AAA authentication command lists methods in left-to-right order of priority - local appears before group tacacs+ in the command aaa authentication login default local group tacacs+, meaning the local database is always checked first, and the TACACS+ server is only consulted if the local lookup fails.

• Option A reverses the order, incorrectly stating TACACS+ is checked first - this would only be true if the command read group tacacs+ local.
• Option B is wrong for the same reason as A, and also incorrectly introduces RADIUS, which is not referenced anywhere in this configuration.
• Option C is also wrong on the order (TACACS+ first), and introduces a third method that doesn't exist in this two-method command.

Memory Tip: Think of the AAA method list as a queue - first in, first served. Whatever method appears first in the command is checked first. In local group tacacs+, "local" is at the front of the line, so it goes first. If you can read the command left to right, you can always determine the authentication order.

No community discussion yet for this question.