350-401 · Question #704
Refer to the exhibit. A network engineer must configure the router to use the ISE-Servers group for authentication. If both ISE servers are unavailable, the local username database must be used. If no
The correct answer is A. aaa authentication login default group ISE-Servers local enable. To configure AAA login authentication with a fallback mechanism, the aaa authentication login default command must list the authentication methods in the desired order of precedence.
Question
Exhibits
Options
- Aaaa authentication login default group ISE-Servers local enable
- Baaa authentication login default group enable local ISE-Servers
- Caaa authorization exec default group ISE-Servers local enable
- Daaa authentication login error-enable
How the community answered
(55 responses)- A71% (39)
- B15% (8)
- C4% (2)
- D11% (6)
Why each option
To configure AAA login authentication with a fallback mechanism, the `aaa authentication login default` command must list the authentication methods in the desired order of precedence.
The command `aaa authentication login default group ISE-Servers local enable` correctly configures the desired authentication order. It first attempts authentication via the `ISE-Servers` TACACS+/RADIUS group, then falls back to the `local` username database, and finally resorts to the `enable` password as the last option if no other method succeeds.
This choice specifies an incorrect authentication order, attempting to use `enable` and `local` before the primary `ISE-Servers` group, which contradicts the requirement.
This command `aaa authorization exec` is used for authorization (determining what commands a user can execute) after successful authentication, not for the login authentication process itself.
`aaa authentication login error-enable` is a specific command used for handling authentication server errors, not for defining the primary authentication method list and its fallback sequence.
Concept tested: AAA authentication fallback order
Source: https://www.cisco.com/c/en/us/td/docs/ios/security/security_cr/sec_c1/sec_chap10.html#wp1077759
Topics
Community Discussion
No community discussion yet for this question.

