• Home
  • Cisco, 210-260
  • When AAA login authentication is configured on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails? (Choose two.)

When AAA login authentication is configured on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails? (Choose two.)

Posted by: Pdfprep Category: 210-260 Tags: , , Post Date: October 29, 2020

When AAA login authentication is configured on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails? (Choose two.)
A . group RADIUS
B . group TACACS+
C . local
D . krb5
E . enable
F . if-authenticated

Answer: C,E

Explanation:

TACACS+ Authentication Examples

The following example shows how to configure TACACS+ as the security protocol for PPP authentication:

aaa new-model

aaa authentication ppp test group tacacs+ local

tacacs-server host 10.1.2.3

tacacs-server key goaway

interface serial 0

ppp authentication chap pap test

The lines in the preceding sample configuration are defined as follows:

• The aaa new-model command enables the AAA security services.

• The aaa authentication command defines a method list, "test," to be used on serial interfaces running PPP.

The keyword group tacacs+ means that authentication will be done through TACACS+. If

TACACS+ returns an ERROR of some sort during authentication, the keyword local indicates that authentication will be attempted using the local database on the network access server.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800946a3.shtml

Authentication Start to configure TAC+ on the router.

Enter enable mode and type configure terminal before the command set. This command syntax

ensures that you are not locked out of the router initially, providing the tac_plus_executable is not

running:

!— Turn on TAC+.

aaa new-model

enable password whatever

!— These are lists of authentication methods.

!— "linmethod", "vtymethod", "conmethod", and

!— so on are names of lists, and the methods

!— listed on the same lines are the methods

!— in the order to be tried. As used here, if

!— authentication fails due to the

!— tac_plus_executable not being started, the

!— enable password is accepted because

!— it is in each list.

!

aaa authentication login linmethod tacacs+ enable

aaa authentication login vtymethod tacacs+ enable

aaa authentication login conmethod tacacs+ enable

Author

Leave a Reply

Your email address will not be published.