If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events will occur when the TACACS+ server returns an error? (Choose two.)
A. The user will be prompted to authenticate using the enable password
B. Authentication attempts to the router will be denied
C. Authentication will use the router`s local database
D. Authentication attempts will be sent to the TACACS+ server
Cisco document is saying clearly “D” can not be answer at all . please read this lines of information
ERROR: It indicates an error occurred during authentication. This can be either at the daemon or in the network connection between the daemon and the router. If an ERROR response is received, the router typically tries to use an alternative method to authenticate the user
https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/200467-Troubleshoot-TACACS-Authentication-Issue.html
https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/200467-Troubleshoot-TACACS-Authentication-Issue.html
ERROR: It indicates an error occurred during authentication. This can be either at the daemon or in the network connection between the daemon and the router. If an ERROR response is received, the router typically tries to use an alternative method to authenticate the user.
With the above in mind. The tacacs server RETURNED and error which means D is correct. The last method is enable (enable password) which means A is correct
The default method is local.
The rules are applied in the sequence order. If all methods fail, the device uses the default local method.
Lets remember that the question says “server returns an error” it means the server is REACHABLE but something happened and returns an “ERROR” response. After this it will try “enable” which is local thats is why for me the correct answers are A and C
ERROR–An error occurred at some time during authentication. This can be either at the daemon or in the network connection between the daemon and the network access server. If an ERROR response is received, the network access server will typically try to use an alternative method for authenticating the user.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/15-mt/sec-usr-tacacs-15-mt-book/sec-cfg-tacacs.html
I just tried it on a router and the connection is denied. I’m not being prompted to use the enable password. At this point, I believe the correct answer is BD.
Try it for yourself and let me know.
[cisco router]
aaa new-model
!
aaa authentication login default group tacacs+ enable
!
enable password VCEGUIDE
!
tacacs-server host x.x.x.x key TACACSKEY
!
line vty 0 4
login authentication default
I dont agree with B, but it is better than C. You just have enable as a alternative,. You dont have the local option.
Command explanation : aaa authentication login default group tacacs+ enable
aaa authentication login default = a default login authentication will be applied
group tacacs+ = tacacs will be applied for all lines (vty and console) as a method of authentication
enable = enable password is the fallback method
So the answer is A and D
A – because enable password is the fallback method, and eventually the user will connect on the device (this is why i din’t chose B)
D – if the server returns an error it means that the server is reachable from the client and maybe the tacacs users/password is missconfigured or entered wrong
“AB” are correct, I just tried on a router
“C” would apply if “local” keyword in line
aaa authentication login default group tacacs+ local enable
I agree with Tom it should be A and C. The command authenticates with Tacacs+ first and if it cant connect to the aaa server it falls back to local authentication. https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathen.html
A and B can not be the correct anweras.. it should be:
A and C