which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails?

When AAA login authentication is configured on Cisco routers, which two authentication methods
should be used as the final method to ensure that the administrator can still log in to the router in
case the external AAA server fails? (Choose two.)

When AAA login authentication is configured on Cisco routers, which two authentication methods
should be used as the final method to ensure that the administrator can still log in to the router in
case the external AAA server fails? (Choose two.)

A.
group RADIUS

B.
group TACACS+

C.
local

D.
krb5

E.
enable

F.
if-authenticated

Explanation:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scftplus.html

TACACS+ Authentication Examples
The following example shows how to configure TACACS+ as the security protocol for PPP
authentication:
aaa new-model
aaa authentication ppp test group tacacs+ local
tacacs-server host 10.1.2.3
tacacs-server key goaway
interface serial 0
ppp authentication chap pap test
The lines in the preceding sample configuration are defined as follows:
•The aaa new-model command enables the AAA security services.
•The aaa authentication command defines a method list, “test,” to be used on serial interfaces
running PPP.
The keyword group tacacs+ means that authentication will be done through TACACS+. If TACACS+
returns an ERROR of some sort during authentication, the keyword local indicates that
authentication will be attempted using the local database on the network access server.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800946a3.shtml
Authentication Start to configure TAC+ on the router.
Enter enable mode and type configure terminal before the command set. This command syntax
ensures that you are not locked out of the router initially, providing the tac_plus_executable is not
running:
!— Turn on TAC+.
aaa new-model
enable password whatever
!— These are lists of authentication methods.
!— “linmethod”, “vtymethod”, “conmethod”, and
!— so on are names of lists, and the methods
!— listed on the same lines are the methods
!— in the order to be tried. As used here, if
!— authentication fails due to the
!— tac_plus_executable not being started, the
!— enable password is accepted because
!— it is in each list.
!a
aa authentication login linmethod tacacs+ enable
aaa authentication login vtymethod tacacs+ enable
aaa authentication login conmethod tacacs+ enable



Leave a Reply 0

Your email address will not be published. Required fields are marked *