nerdexam
Cisco

350-401 · Question #391

Drag and Drop Question An engineer creates the configuration below. Drag and drop the authentication methods from the left into the order of priority on the right. Not all options are used. Answer:

The correct answer is tacacs servers of group ACE; local configured username in non-case-sensitive format; local configured username in case-sensitive format; AAA servers of AAA_RADIUS group. The correct priority order reflects a typical AAA authentication configuration where TACACS+ is tried first (group ACE), followed by local authentication in non-case-sensitive format, then case-sensitive local authentication, and finally RADIUS (group AAA_RADIUS) as the last reso

Submitted by skyler.x· Mar 6, 2026Infrastructure Security - Configuring and verifying AAA authentication method lists including TACACS+, RADIUS, and local authentication fallback on Cisco IOS devices (CCNP ENCOR / SCOR Security domain)

Question

Drag and Drop Question An engineer creates the configuration below. Drag and drop the authentication methods from the left into the order of priority on the right. Not all options are used. Answer:

Exhibits

350-401 question #391 exhibit 1
350-401 question #391 exhibit 2
350-401 question #391 exhibit 3
350-401 question #391 exhibit 4

Answer Area

Drag items

tacacs servers of group ACElocal configured username in non-case-sensitive formatlocal configured username in case-sensitive formatAAA servers of ACE groupAAA servers of AAA_RADIUS groupif no method works, then deny login

Correct arrangement

  • tacacs servers of group ACE
  • local configured username in non-case-sensitive format
  • local configured username in case-sensitive format
  • AAA servers of AAA_RADIUS group

Explanation

The correct priority order reflects a typical AAA authentication configuration where TACACS+ is tried first (group ACE), followed by local authentication in non-case-sensitive format, then case-sensitive local authentication, and finally RADIUS (group AAA_RADIUS) as the last resort method. This ordering follows the 'aaa authentication login' command sequence where methods are attempted left-to-right, and each subsequent method is only tried if the previous one is unavailable (not if authentication fails). The configuration intentionally does NOT include 'if-no-method deny' (none/deny) as a final fallback, meaning the list ends with AAA_RADIUS.

Topics

#AAA Authentication#TACACS+#RADIUS#aaa authentication login

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice