Home » Cisco » 210-260 v.2 » Which events will occur when the TACACS+ server returns an error?
If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events will occur when the TACACS+ server returns an error? (Choose two.)
A. The user will be prompted to authenticate using the enable password
B. Authentication attempts to the router will be denied
C. Authentication will use the router`s local database
D. Authentication attempts will be sent to the TACACS+ server
Correct Answer: AB
Explanation/Reference:
When a remote user attempts to dial in to the network, the network access server first queries R1 for authentication information. If R1 authenticates the user, it issues a PASS response to the network access server and the user is allowed to access the network. If R1 returns a FAIL response, the user is denied access and the session is terminated. If R1 does not respond, then the network access server processes that as an ERROR and queries R2 for authentication information.
This pattern would continue through the remaining designated methods until the user is either authenticated or rejected, or until the session is terminated.
It is important to remember that a FAIL response is significantly different from an ERROR. A FAIL means that the user has not met the criteria contained in the applicable authentication database to be successfully authenticated.
Authentication ends with a FAIL response. An ERROR means that the security server has not responded to an authentication query. Because of this, no authentication has been attempted. Only when an ERROR is detected will AAA select the next authentication method defined in the authentication method list.
Suppose the system administrator wants to apply a method list only to a particular interface or set of interfaces. In this case, the system administrator creates a named method list and then applies this named list to the applicable interfaces.
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathen.html
I don’t believe this is the correct answer. The key statement is “attempts to the router will be denied” which means authentication attempts are done. As stated in the explanation the user will be denied only if the response is FAIL and the response here is ERROR. This means “This pattern would continue through the remaining designated methods until the user is either authenticated or rejected, or until the session is terminated.” Therefor there should be no “denied” access until there is a clear FAIL response, the authentication will continue to use the “enable” (which is answer A), and since it is the “enable” password is a local configuration it should use the local database to check if it is correct. I believe the answer should be A and C.
I believe A and B are correct. C makes the assumption the local database is configured as an authentication mechanism. The only authentication mechanisms we are know for sure are the ones listed in the config line we are given “aaa authentication login default group tacacs+ enable” which makes no mention of the local database. The authentication attempt has already been sent to the TACACS+ Server, which returned the error, therefore D makes no sense.