350-401 · Question #940
Refer to the exhibit. Which configuration enables fallback to local authentication and authorization when no TACACS+ server is available?
The correct answer is D. Router(config)# aaa authentication login default group tacacs+ local. To configure AAA authentication with TACACS+ as the primary method and local authentication as a fallback when TACACS+ servers are unavailable, a specific authentication login method list is used.
Question
Exhibits
Options
- ARouter(config)# aaa fallback local
- BRouter(config)# aaa authentication login FALLBACK local
- CRouter(config)# aaa authentication login default local
- DRouter(config)# aaa authentication login default group tacacs+ local
How the community answered
(15 responses)- A7% (1)
- B7% (1)
- C13% (2)
- D73% (11)
Why each option
To configure AAA authentication with TACACS+ as the primary method and local authentication as a fallback when TACACS+ servers are unavailable, a specific authentication login method list is used.
The `aaa fallback local` command is not a standard Cisco IOS command for configuring AAA authentication fallback in this context.
The `aaa authentication login FALLBACK local` command defines a new method list named 'FALLBACK' but does not combine TACACS+ with local authentication in the correct syntax for fallback.
The `aaa authentication login default local` command would configure only local authentication as the default, without attempting TACACS+ first or providing an explicit fallback mechanism in the desired order.
The `aaa authentication login default group tacacs+ local` command creates a default login method list, specifying that authentication should first attempt to use a TACACS+ server group, and if that fails, it should then fall back to local authentication.
Concept tested: Cisco IOS AAA authentication fallback
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-mt/sec-usr-aaa-15-mt-book/sec-cfg-aaa.html
Topics
Community Discussion
No community discussion yet for this question.

