350-401 Question #580: Real Exam Question with Answer & Explanation

Question

An engineer must enable a login authentication method that allows a user to log in by using local authentication if all other defined authentication methods fail. Which configuration should be applied?

Options

• Aaaa authentication login CONSOLE group radius local-case enable aaa
• Bauthentication login CONSOLE group radius local enable none
• Caaa authentication login CONSOLE group radius local enable
• Daaa authentication login CONSOLE group tacacs+ local enable

Explanation

To enable local authentication as a fallback method after other defined authentication methods fail, the aaa authentication login command should list the primary method (e.g., TACACS+) followed by local enable.

Common mistakes.

• A. The local-case keyword is not a valid option for aaa authentication login command to specify local authentication fallback, and the repeated aaa keyword at the end is syntactically incorrect.
• B. The none keyword, if reached, would allow login without any authentication, which does not meet the requirement of falling back to local authentication and poses a significant security risk. Also, aaa is missing at the start of the command.
• C. While group radius local enable is syntactically valid and enables local fallback, TACACS+ (used in option D) is generally preferred over RADIUS for device administration on Cisco platforms due to its separate AAA services and more extensive command authorization capabilities, making D a more commonly recommended solution for administrative access.

Concept tested. AAA login authentication fallback

Reference. https://www.cisco.com/c/en/us/td/docs/ios/security/security_cr/sec_c1/sec_a1.html#wp1037599

No community discussion yet for this question.