350-401 · Question #725
An engineer must configure an EXEC authorization list that first checks a AAA server then a local username. If both methods fail, the user is denied. Which configuration should be applied?
The correct answer is D. aaa authorization exec default group radius local. AAA Authorization Method List Explanation Option D (aaa authorization exec default group radius local) is correct because it checks a RADIUS server first, then falls back to the local username database - matching the exact requirement. When both methods are exhausted without succ
Question
An engineer must configure an EXEC authorization list that first checks a AAA server then a local username. If both methods fail, the user is denied. Which configuration should be applied?
Options
- Aaaa authorization exec default local group tacacs+
- Baaa authorization exec default local group radius none
- Caaa authorization exec default group radius local none
- Daaa authorization exec default group radius local
How the community answered
(36 responses)- A3% (1)
- B3% (1)
- C6% (2)
- D89% (32)
Explanation
AAA Authorization Method List Explanation
Option D (aaa authorization exec default group radius local) is correct because it checks a RADIUS server first, then falls back to the local username database - matching the exact requirement. When both methods are exhausted without success, IOS implicitly denies access, so no none keyword is needed or desired here.
Why the distractors are wrong:
- Option A reverses the order (local first, then TACACS+) and uses TACACS+ instead of RADIUS, violating both requirements
- Option B uses RADIUS but checks
localfirst before RADIUS, and thenonekeyword would grant access even if both methods fail - a security risk - Option C appears structurally similar to D but appends
noneat the end, which allows access even when both AAA server and local authentication fail, contradicting the "user is denied" requirement
Memory Tip: Think of the method list as a priority queue - methods are checked left to right in the order you type them. The keyword
noneis a "safety net that shouldn't exist" in secure configs - if you see it on an exam question requiring denial on failure, that answer is almost certainly wrong.
Topics
Community Discussion
No community discussion yet for this question.