If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events will occur when the TACACS+ server returns an error?
(Choose two.)
A.
The user will be prompted to authenticate using the enable password
B.
Authentication attempts to the router will be denied
C.
Authentication will use the router`s local database
D.
Authentication attempts will be sent to the TACACS+ server
The following example creates an authentication list that first tries to contact a TACACS+ server. If no server can be found, AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
aaa authentication enable default group tacacs+ enable none
if “none” is not there, and there is no enable password, then the authentication will fail. If not, then it works.
If it is just:
aaa authentication enable default group tacacs+ enable
And there is an enable password, the path will first be to the TACACS, then the enable.
it will work.
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathen.html
Hi, so also, with the above, if the line is
aaa authentication login default group tacacs+ enable
the same thing happens. Tested in a lab.
This time, however, you don’t need a username. Just enable secret.
I confirmed in lab.
Ryan. Thanks for explaining Bro.
Not sure that B is correct.
A,C may also be:
the qustion don’t state that there is no enable passord in configuration,
so why should it be denied?
C is 100% invalid as authentication line doesn’t even refer to use ‘local’ credentials.