Home > AAA Questions

AAA Questions

January 28th, 2021 in ENCOR 350-401 Go to comments

Note: If you are not sure about AAA, please read our AAA TACACS+ and RADIUS Tutorial (on 9tut.com).

Question 1

Question 2

Explanation

The “aaa authentication login default local group tacacs+” command is broken down as follows:

+ The ‘aaa authentication’ part is simply saying we want to configure authentication settings.
+ The ‘login’ is stating that we want to prompt for a username/password when a connection is made to the device.
+ The ‘default’ means we want to apply for all login connections (such as tty, vty, console and aux). If we use this keyword, we don’t need to configure anything else under tty, vty and aux lines. If we don’t use this keyword then we have to specify which line(s) we want to apply the authentication feature.
+ The ‘local group tacacs+” means all users are authenticated using router’s local database (the first method). If the credentials are not found on the local database, then the TACACS+ server is used (the second method).

Question 3


Explanation

According to the requirements (first use TACACS+, then allow login with no authentication), we have to use “aaa authentication login … group tacacs+ none” for AAA command.

The next thing to check is the if the “aaa authentication login default” or “aaa authentication login list-name” is used. The ‘default’ keyword means we want to apply for all login connections (such as tty, vty, console and aux). If we use this keyword, we don’t need to configure anything else under tty, vty and aux lines. If we don’t use this keyword then we have to specify which line(s) we want to apply the authentication feature.

From above information, we can find out answer C is correct. Although the “password 7 0202039485748” line under “line vty 0 4” is not necessary.

If you want to learn more about AAA configuration, please read our AAA TACACS+ and RADIUS Tutorial – Part 2.

For your information, answer D would be correct if we add the following command under vty line (“line vty 0 4”): “login authentication telnet” (“telnet” is the name of the AAA list above)

Question 4

Question 5

Explanation

The “autocommand” causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and can contain embedded spaces, commands using the autocommand keyword must be the last option on the line. In this specific question, we have to enter this line “username CCNP autocommand show running-config”.

Question 6

Explanation

In this question, there are two different passwords for user “tommy”:
+ In the TACACS+ server, the password is “Tommy”
+ In the local database of the router, the password is “Cisco”.

From the line “login authentication local” we know that the router uses the local database for authentication so the password should be “Cisco”.

Note: “… password 0 …” here means unencrypted password.

Comments
  1. Anonymous
    February 17th, 2021

    Question 1

    B. TACACS+ authentication uses an RSA server to authenticate users
    C. Local user names are case-insensitive

    B and C I think are also true

    Digitaltut can you look in this one

  2. Anonymous
    March 17th, 2021

    Q6.
    aaa authentication login local tacacs+ | local keyword defines authentication methods when it is applied manually under console line with #login authentication local
    \\in this case the password should be “Tommy” (correct answer D)

    if the line console configuration was like #line console 0 > login local , the password would be “Cisco”

  3. Da Hulk
    March 23rd, 2021

    @Digitaltut

    Please look into Q.6 as it appears the passwords in the answers are not correctly placed. Thanks in advance.

  4. Anonymous
    April 10th, 2021

    Keyword local in the command ” aaa authentication login local ” is related to AAA method name not local database so, method named local is indicating to tacacs server that indicates to password Tommy so, Answer is D
    Thanks & Best Regards,

  5. contoso
    April 12th, 2021

    Q6, the syntax used in exhibit was wrong in the first place.

    correct one:
    aaa authentication login [authentication list name] [default] group tacacs+

    and in line con 0 if using the command ?
    Router(config-line)#login authentication ?
    WORD Use an authentication list with this name.
    default Use the default authentication list.

    we may use the [authentication list name] or [default] here.
    in the exhibit, it used “local” as authentication list, followed by the tacacs+ only. (could be typo in there, which missing “group” before tacacs+)

  6. tmr
    April 13th, 2021

    i agree in Q 6 the answer should be Tommy ……

    ADMIN….. PLease look into it

  7. HM
    April 14th, 2021

    @digitaltut

    Please check Q6

    local is the name of the list, not the authentication method. Please check the answer again.

  8. thorr18
    April 18th, 2021

    “Which two statements about AAA authentication are true?”
    If you use “local” instead of “local-case” then the username is not case-sensitive.
    The question does not accept “Local user names are case-insensitive”
    I proved it on lab with this, *not* using “local-case”:
    !
    aaa new-model
    aaa authentication login default local enable
    aaa authentication login ADMIN local
    username CCNP secret Str0ngP@ssw0rd!
    line 0 4
    login authentication ADMIN
    !

  9. AT
    May 6th, 2021

    @digitaltut

    HM is right, about Q6.
    “local” is the name of the list, not an authentication method.
    Correct answer should be “Tommy”

    Please check again

  1. No trackbacks yet.