nerdexam
Cisco

350-401 · Question #584

Refer to the exhibit. The network administrator must be able to perform configuration changes when all the RADIUS servers are unreachable. Which configuration allows all commands to be authorized if t

The correct answer is C. aaa authorization exec default group radius if-authenticated. Explanation Option C is correct because the if-authenticated keyword instructs the device to authorize all commands for a user who has already successfully authenticated, specifically when all configured authorization methods (RADIUS servers) are unavailable - this is exactly the

Submitted by wei.xz· Mar 6, 2026Security

Question

Refer to the exhibit. The network administrator must be able to perform configuration changes when all the RADIUS servers are unreachable. Which configuration allows all commands to be authorized if the user has successfully authenticated?

Exhibits

350-401 question #584 exhibit 1
350-401 question #584 exhibit 2

Options

  • Aaaa authorization exec default group radius none
  • Baaa authentication login default group radius local none
  • Caaa authorization exec default group radius if-authenticated
  • Daaa authorization exec default group radius

How the community answered

(19 responses)
  • A
    5% (1)
  • B
    16% (3)
  • C
    74% (14)
  • D
    5% (1)

Explanation

Explanation

Option C is correct because the if-authenticated keyword instructs the device to authorize all commands for a user who has already successfully authenticated, specifically when all configured authorization methods (RADIUS servers) are unavailable - this is exactly the fallback behavior required.

  • Option A is incorrect because the none keyword means authorization is bypassed entirely regardless of authentication status, which is a security risk and doesn't conditionally authorize based on successful authentication.
  • Option B is incorrect because it addresses authentication (login), not authorization (exec privilege), and local none is a fallback for authentication sources, not authorization behavior.
  • Option D is incorrect because without a fallback keyword, if all RADIUS servers are unreachable, authorization will fail completely, locking out the administrator entirely.

Memory Tip: Think of if-authenticated as a "trust but verify" shortcut - "If you already proved who you are, I'll trust you to do anything when I can't reach my authorization server." Contrast this with none, which means "don't even check" - a security hole rather than a safe fallback.

Topics

#AAA#Authorization#RADIUS#Fallback Mechanism

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice