nerdexam
Cisco

350-401 · Question #580

An engineer must enable a login authentication method that allows a user to log in by using local authentication if all other defined authentication methods fail. Which configuration should be applied

The correct answer is D. aaa authentication login CONSOLE group tacacs+ local enable. To enable local authentication as a fallback method after other defined authentication methods fail, the aaa authentication login command should list the primary method (e.g., TACACS+) followed by local enable.

Submitted by krish.m· Mar 6, 2026Security

Question

An engineer must enable a login authentication method that allows a user to log in by using local authentication if all other defined authentication methods fail. Which configuration should be applied?

Options

  • Aaaa authentication login CONSOLE group radius local-case enable aaa
  • Bauthentication login CONSOLE group radius local enable none
  • Caaa authentication login CONSOLE group radius local enable
  • Daaa authentication login CONSOLE group tacacs+ local enable

How the community answered

(43 responses)
  • A
    2% (1)
  • B
    7% (3)
  • C
    9% (4)
  • D
    81% (35)

Why each option

To enable local authentication as a fallback method after other defined authentication methods fail, the `aaa authentication login` command should list the primary method (e.g., TACACS+) followed by `local enable`.

Aaaa authentication login CONSOLE group radius local-case enable aaa

The `local-case` keyword is not a valid option for `aaa authentication login` command to specify local authentication fallback, and the repeated `aaa` keyword at the end is syntactically incorrect.

Bauthentication login CONSOLE group radius local enable none

The `none` keyword, if reached, would allow login without any authentication, which does not meet the requirement of falling back to *local authentication* and poses a significant security risk. Also, `aaa` is missing at the start of the command.

Caaa authentication login CONSOLE group radius local enable

While `group radius local enable` is syntactically valid and enables local fallback, TACACS+ (used in option D) is generally preferred over RADIUS for device administration on Cisco platforms due to its separate AAA services and more extensive command authorization capabilities, making D a more commonly recommended solution for administrative access.

Daaa authentication login CONSOLE group tacacs+ local enableCorrect

The command `aaa authentication login CONSOLE group tacacs+ local enable` configures a login authentication method list. It first attempts authentication using the TACACS+ server group, and if that fails, it falls back to the local user database. The `enable` keyword allows a further fallback to the device's enable password.

Concept tested: AAA login authentication fallback

Source: https://www.cisco.com/c/en/us/td/docs/ios/security/security_cr/sec_c1/sec_a1.html#wp1037599

Topics

#Cisco AAA#Authentication failover#Local authentication#CLI commands

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice