nerdexam
Cisco

350-401 · Question #940

Refer to the exhibit. Which configuration enables fallback to local authentication and authorization when no TACACS+ server is available?

The correct answer is D. Router(config)# aaa authentication login default group tacacs+ local. To configure AAA authentication with TACACS+ as the primary method and local authentication as a fallback when TACACS+ servers are unavailable, a specific authentication login method list is used.

Submitted by renata2k· Mar 6, 2026Security

Question

Refer to the exhibit. Which configuration enables fallback to local authentication and authorization when no TACACS+ server is available?

Exhibits

350-401 question #940 exhibit 1
350-401 question #940 exhibit 2

Options

  • ARouter(config)# aaa fallback local
  • BRouter(config)# aaa authentication login FALLBACK local
  • CRouter(config)# aaa authentication login default local
  • DRouter(config)# aaa authentication login default group tacacs+ local

How the community answered

(15 responses)
  • A
    7% (1)
  • B
    7% (1)
  • C
    13% (2)
  • D
    73% (11)

Why each option

To configure AAA authentication with TACACS+ as the primary method and local authentication as a fallback when TACACS+ servers are unavailable, a specific authentication login method list is used.

ARouter(config)# aaa fallback local

The `aaa fallback local` command is not a standard Cisco IOS command for configuring AAA authentication fallback in this context.

BRouter(config)# aaa authentication login FALLBACK local

The `aaa authentication login FALLBACK local` command defines a new method list named 'FALLBACK' but does not combine TACACS+ with local authentication in the correct syntax for fallback.

CRouter(config)# aaa authentication login default local

The `aaa authentication login default local` command would configure only local authentication as the default, without attempting TACACS+ first or providing an explicit fallback mechanism in the desired order.

DRouter(config)# aaa authentication login default group tacacs+ localCorrect

The `aaa authentication login default group tacacs+ local` command creates a default login method list, specifying that authentication should first attempt to use a TACACS+ server group, and if that fails, it should then fall back to local authentication.

Concept tested: Cisco IOS AAA authentication fallback

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-mt/sec-usr-aaa-15-mt-book/sec-cfg-aaa.html

Topics

#AAA#TACACS+#authentication fallback#local authentication

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice