350-401 · Question #580
An engineer must enable a login authentication method that allows a user to log in by using local authentication if all other defined authentication methods fail. Which configuration should be applied
The correct answer is D. aaa authentication login CONSOLE group tacacs+ local enable. To enable local authentication as a fallback method after other defined authentication methods fail, the aaa authentication login command should list the primary method (e.g., TACACS+) followed by local enable.
Question
An engineer must enable a login authentication method that allows a user to log in by using local authentication if all other defined authentication methods fail. Which configuration should be applied?
Options
- Aaaa authentication login CONSOLE group radius local-case enable aaa
- Bauthentication login CONSOLE group radius local enable none
- Caaa authentication login CONSOLE group radius local enable
- Daaa authentication login CONSOLE group tacacs+ local enable
How the community answered
(43 responses)- A2% (1)
- B7% (3)
- C9% (4)
- D81% (35)
Why each option
To enable local authentication as a fallback method after other defined authentication methods fail, the `aaa authentication login` command should list the primary method (e.g., TACACS+) followed by `local enable`.
The `local-case` keyword is not a valid option for `aaa authentication login` command to specify local authentication fallback, and the repeated `aaa` keyword at the end is syntactically incorrect.
The `none` keyword, if reached, would allow login without any authentication, which does not meet the requirement of falling back to *local authentication* and poses a significant security risk. Also, `aaa` is missing at the start of the command.
While `group radius local enable` is syntactically valid and enables local fallback, TACACS+ (used in option D) is generally preferred over RADIUS for device administration on Cisco platforms due to its separate AAA services and more extensive command authorization capabilities, making D a more commonly recommended solution for administrative access.
The command `aaa authentication login CONSOLE group tacacs+ local enable` configures a login authentication method list. It first attempts authentication using the TACACS+ server group, and if that fails, it falls back to the local user database. The `enable` keyword allows a further fallback to the device's enable password.
Concept tested: AAA login authentication fallback
Source: https://www.cisco.com/c/en/us/td/docs/ios/security/security_cr/sec_c1/sec_a1.html#wp1037599
Topics
Community Discussion
No community discussion yet for this question.