Aaa Flashcards
The login method is configured on the VTY lines of a router with these parameters:
* The first method for authentication is TACACS
* If TACACS is unavailable, login is allowed without any provided credentials
Which configuration accomplishes this task?
here some helping thoughts.
aaa new-model invalidates the previous configuration
aaa authentication login <name> group <Radius> <fall></fall></Radius></name>
DO NOT be confused by
VTY or TELNET in the AAA Authentication List name which is just a name and lists the options to the right of it.
the requirements of TACACS and NO PASSWORD -> always watch out that you have the NO PASSWORD = NONE keyword at the end of the line.
next is the question about LOGIN
to LOGIN only you dont need a LINE VTY LOGIN AUTHENTICATION LOCAL or PASSWORD XZY as these would be only required if you wanted to ellevate your default priv-level from 1 to a higher number (in this case 15)
A network administrator applies the following configuration to an IOS device: aaa new-model aaa authentication login default local group tacacs+
What is the process of password checks when a login attempt is made to the device?
A. A TACACS+ server is checked first. If that check fails, a local database is checked.
B. A TACACS+ server is checked first. If that check fails, a RADIUS server is checked. If that check fails, a local database is checked.
C. A local database is checked first. If that check fails, a TACACS+ server is checked. If that check fails, a RADIUS server is checked.
D. A local database is checked first. If that check fails, a TACACS+ server is checked.
D. A local database is checked first. If that check fails, a TACACS+ server is checked.
Explanation: The “aaa authentication login default local group tacacs+” command is broken down as follows:
+ The ‘aaa authentication’ part is simply saying we want to configure authentication settings.
+ The ‘login’ is stating that we want to prompt for a username/ password when a connection is made to the device.
+ The ‘default’ means we want to apply for all login connections (such as tty, vty, console and aux). If we use this keyword, we don’t need to configure anything else under tty, vty and aux lines. If we don’t use this keyword then we have to specify which line(s) we want to apply the authentication feature.
+ The ‘local group tacacs+” means all users are authenticated using router’s local database (the first method). If the credentials are not found on the local database, then the TACACS+ server is used (the second method).
Refer to the exhibit. An engineer must create a configuration that executes the show run command and then terminates the session when user CCNP logs in.
Which configuration change is required?
A. Add the access-class keyword to the username command.
B. Add the autocommand keyword to the aaa authentication command.
C. Add the access-class keyword to the aaa authentication command.
D. Add the autocommand keyword to the username command.
D. Add the autocommand keyword to the username command.
DRAG DROP -
An engineer creates the configuration below. Drag and drop the authentication methods from the left into the order of priority on the right. Not all options are used.
R1#sh run | i aaa -
aaa new-model
aaa authentication login default group ACE group AAA_RADIUS local-case aaa session-id common
R1#
Select and Place:
priority 1: AAA servers of ACE group
priority 2: AAA servers of AAA_RADIUS group
priority 3: local configured username in case-sensitive format
priority 4: If no method works, then deny login
Refer to the exhibit. An engineer has configured Cisco ISE to assign VLANs to clients based on their method of authentication, but this is not working as expected.
Which action will resolve this issue?
A. enable AAA override
B. set a NAC state
C. utilize RADIUS profiling
D. require a DHCP address assignment
A. enable AAA override
Enable AAA Override and Cisco Identity Services Engine (ISE) Assign VLANs features are often used together
Enable AAA Override is a feature that allows the authentication, authorization, and accounting (AAA) server to override the VLAN assignment of a user’s device. This allows the AAA server, such as Cisco ISE, to assign a specific VLAN to a user’s device based on the user’s credentials and the policies configured on the AAA server.
Which configuration allows administrators to configure the device through the console port and use a network authentication server?
A.
aaa new-model
aaa authentication login default local
aaa authorization console
aaa authorization config-commands username netadmin secret 9 $9$vFpMf8elb4RVV8$seZ/bDAx1uV
B.
aaa new-model
aaa authentication login default local
aaa authorization console
aaa authorization config-commands
C.
aaa new-model
aaa authentication login default line
D.
aaa new-model
aaa authentication login default group radius
aaa authorization console
aaa authorization config-commands
D.
aaa new-model
aaa authentication login default group radius
aaa authorization console
aaa authorization config-commands
Weird possible answers…
By process of elemination only D possible. Because its the only answer which utilizes the AAA servers.
Refer to the exhibit. The network administrator must be able to perform configuration changes when all the RADIUS servers are unreachable. Which configuration allows all commands to be authorized if the user has successfully authenticated?
A. aaa authentication login default group radius local none
B. aaa authorization exec default group radius
C. aaa authorization exec default group radius if-authenticated
D. aaa authorization exec default group radius none
C. aaa authorization exec default group radius if-authenticated
Refer to the exhibit. A network engineer must configure the router to use the ISE-Servers group for authentication. If both ISE servers are unavailable, the local username database must be used. If no usernames are defined in the configuration, then the enable password must be the last resort to log in. Which configuration must be applied to achieve this result?
A. aaa authorization exec default group ISE-Servers local enable
B. aaa authentication login error-enable aaa authentication login default group enable local ISE-Servers
C. aaa authentication login default group ISE-Servers local enable
D. aaa authentication login default group enable local ISE-Servers
C. aaa authentication login default group ISE-Servers local enable
the authentication order is ISE servers/Loggin Local / Enable pass
Aaa authorization
Refer to the exhibit.
Which configuration enables fallback to local authentication and authorization when no TACACS+ server is available?
A.
Router(config)# aaa fallback local
B.
Router(config)# aaa authentication login FALLBACK local
Router(config)# aaa authorization exec FALLBACK local
C.
Router(config)# aaa authentication login default local
Router(config)# aaa authorization exec default local
D.
Router(config)# aaa authentication login default group tacacs+ local
Router(config)# aaa authorization exec default group tacacs+ local
D.
Router(config)# aaa authentication login default group tacacs+ local
Router(config)# aaa authorization exec default group tacacs+ local
An engineer must configure an EXEC authorization list that first checks a AAA server then a local username. If both methods fail, the user is denied. Which configuration should be applied?
A. aaa authorization exec default local group radius none
B. aaa authorization exec default group radius local none
C. aaa authorization exec default group radius local
D. aaa authorization exec default local group tacacs+
C. aaa authorization exec default group radius local
__
A. aaa authorization exec default local group radius none
-wrong because it checks local first
B. aaa authorization exec default group radius local none
-WRONG, it checks everything in the correct order, but “none” doesn;t require any
C. aaa authorization exec default group radius local
-CORRECT, the only correct order that only allows what we want
D. aaa authorization exec default local group tacacs+
-WRONG, for same reason as A
An engineer must implement a configuration to allow a network administrator to connect to the console port of a router and authenticate over the network. Which command set should the engineer use?
A. aaa new-model
aaa authentication login console local
B. aaa new-model
aaa authentication login console group radius
C. aaa new-model
aaa authentication login default enable
D. aaa new-model
aaa authentication enable default
B. aaa new-model
aaa authentication login console group radius
A. is wrong because not use external server
c. is wrong because use the (default) keyword
d. is wrong because use the (default) keyword and not use the external server
connect to the console port => mean just console , default keyword is wrong because is mean all methods (vty,aux,cons).
authenticate over the network => mean use external server (tacacs+ , radius).
Refer to the exhibit. A network engineer must permit administrators to automatically authenticate if there is no response from either of the AAA servers. Which configuration achieves these results?
A. aaa authentication enable default group radius local
B. aaa authentication login default group radius
C. aaa authentication login default group tacacs+ line
D. aaa authentication login default group radius none
D. aaa authentication login default group radius none
“aaa authentication login default none” command to get access to Router via Console / VTY / AUX without authentication.
“default” means —> console/vty/aux
“none” means —> no authentications
The “‘none’” keyword enables any user logging in to successfully authenticate, it should be used only as a backup method of authentication.
An engineer must configure router R1 to validate user logins via RADIUS and fall back to the local user database if the RADIUS server is not available. Which configuration must be applied?
A. aaa authentication exec default radius local
B. aaa authentication exec default radius
C. aaa authorization exec default radius local
D. aaa authorization exec default radius
A. aaa authentication exec default radius local
Community vote distribution
A (52%)
C (48%)
An engineer must configure AAA on a Cisco 9800 WLC for central web authentication. Which two commands are needed to accomplish this task? (Choose two.)
A. Device(config)# aaa server radius dynamic-author
B. (Cisco Controller) > config wlan aaa-override disable < wlan-id >
C. (Cisco Controller) > config radius acct add 10.10.10.12 1812 SECRET
D. Device(config-locsvr-da-radius)# client 10.10.10.12 server-key 0 SECRET
E. (Cisco Controller) > config wlan aaa-override enable < wlan-id >
A. Device(config)# aaa server radius dynamic-author
D. Device(config-locsvr-da-radius)# client 10.10.10.12 server-key 0 SECRET