AAA Questions
Note: If you are not sure about AAA, please read our AAA TACACS+ and RADIUS Tutorial (on 9tut.com).
Question 1
Question 2
Explanation
The “aaa authentication login default local group tacacs+” command is broken down as follows:
+ The ‘aaa authentication’ part is simply saying we want to configure authentication settings.
+ The ‘login’ is stating that we want to prompt for a username/password when a connection is made to the device.
+ The ‘default’ means we want to apply for all login connections (such as tty, vty, console and aux). If we use this keyword, we don’t need to configure anything else under tty, vty and aux lines. If we don’t use this keyword then we have to specify which line(s) we want to apply the authentication feature.
+ The ‘local group tacacs+” means all users are authenticated using router’s local database (the first method). If the credentials are not found on the local database, then the TACACS+ server is used (the second method).
Question 3
Explanation
According to the requirements (first use TACACS+, then allow login with no authentication), we have to use “aaa authentication login … group tacacs+ none” for AAA command.
The next thing to check is the if the “aaa authentication login default” or “aaa authentication login list-name” is used. The ‘default’ keyword means we want to apply for all login connections (such as tty, vty, console and aux). If we use this keyword, we don’t need to configure anything else under tty, vty and aux lines. If we don’t use this keyword then we have to specify which line(s) we want to apply the authentication feature.
From above information, we can find out answer C is correct. Although the “password 7 0202039485748” line under “line vty 0 4” is not necessary.
If you want to learn more about AAA configuration, please read our AAA TACACS+ and RADIUS Tutorial – Part 2.
For your information, answer D would be correct if we add the following command under vty line (“line vty 0 4”): “login authentication telnet” (“telnet” is the name of the AAA list above)
Question 4
Question 5
Explanation
The “autocommand” causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and can contain embedded spaces, commands using the autocommand keyword must be the last option on the line. In this specific question, we have to enter this line “username CCNP autocommand show running-config”.
Question 6
Explanation
In this question, there are two different passwords for user “tommy”:
+ In the TACACS+ server, the password is “Tommy”
+ In the local database of the router, the password is “Cisco”.
From the line “login authentication local” we know that the router uses the local database for authentication so the password should be “Cisco”.
Note: “… password 0 …” here means unencrypted password.
Question 1
B. TACACS+ authentication uses an RSA server to authenticate users
C. Local user names are case-insensitive
B and C I think are also true
Digitaltut can you look in this one
Q6.
aaa authentication login local tacacs+ | local keyword defines authentication methods when it is applied manually under console line with #login authentication local
\\in this case the password should be “Tommy” (correct answer D)
if the line console configuration was like #line console 0 > login local , the password would be “Cisco”
@Digitaltut
Please look into Q.6 as it appears the passwords in the answers are not correctly placed. Thanks in advance.
Keyword local in the command ” aaa authentication login local ” is related to AAA method name not local database so, method named local is indicating to tacacs server that indicates to password Tommy so, Answer is D
Thanks & Best Regards,
Q6, the syntax used in exhibit was wrong in the first place.
correct one:
aaa authentication login [authentication list name] [default] group tacacs+
and in line con 0 if using the command ?
Router(config-line)#login authentication ?
WORD Use an authentication list with this name.
default Use the default authentication list.
we may use the [authentication list name] or [default] here.
in the exhibit, it used “local” as authentication list, followed by the tacacs+ only. (could be typo in there, which missing “group” before tacacs+)
i agree in Q 6 the answer should be Tommy ……
ADMIN….. PLease look into it
@digitaltut
Please check Q6
local is the name of the list, not the authentication method. Please check the answer again.
“Which two statements about AAA authentication are true?”
If you use “local” instead of “local-case” then the username is not case-sensitive.
The question does not accept “Local user names are case-insensitive”
I proved it on lab with this, *not* using “local-case”:
!
aaa new-model
aaa authentication login default local enable
aaa authentication login ADMIN local
username CCNP secret Str0ngP@ssw0rd!
line 0 4
login authentication ADMIN
!
@digitaltut
HM is right, about Q6.
“local” is the name of the list, not an authentication method.
Correct answer should be “Tommy”
Please check again
Q6 should be D) Tommy since local is the list name applied to con0, am i missing this all together?
about q6,I think q6 collect answer is cisco.
cause line con 0 was Specified to use local database.
Q6
If Q4 Answer= The device will authenticate all users connecting to vty lines 0 through 4 against TACACS+;
Q6 Answer=Tommy
Correct answer should be “Tommy”
@digitaltut
Please check again
Which password allows access to line con 0 for a username of “tommy” under normal operation?
I think is correct answer is C: Tommy.
We have a command:
aaa authentication login local tacacs+
Where is local – authentication list, that is the name for tacacs+! This name called in line console!
This means that authentication is via tacacs+ server.
For question: “Which password allows access to line con 0 for a username of “tommy” under normal operation?”
I think the correct answer is: “Tommy” because as per the command aaa authentication login local tacacs+, “login” is the AAA list name.
@digitaltut – Kindly please check again.
About Q6. I have tested and the correct answer is “Tommy”
sh run:
aaa new-model
!
aaa authentication login LOCAL group tacacs+ (LOCAL is a list name)
!
username tommy password 0 Cisco
tacacs-server host 10.0.1.5 key cisco
!
!
line con 0
login authentication LOCAL (list name)
It only works with the password “Tommy” !!
method
Specifies at least one of these keywords:
■ enable: Uses the enable password for authentication
■ krb5: Uses Kerberos 5 for authentication
■ krb5-telnet: Uses the Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router
■ line: Uses the line password for authentication
■ local: Uses the local username database for authentication
■ local-case: Uses case-sensitive local username authentication
■ none: Uses no authentication
■ group radius: Uses the list of all RADIUS servers for authentication
■ group tacacs+: Uses the list of all TACACS+ servers for authentication
■ group group-name: Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ commands
@admin
Question 1:
C. Local user names are case-insensitive
D. Local authentication is maintained on the router
E. KRB5 authentication disables user access when an incorrect password is entered
C-> is correct: by default username is not case sensitive
D-> is correct: local is local!
E-> incorrect: This is an option and not default behaviour!
it is true only by the command below
Router(config)# kerberos clients mandatory
Sets Telnet, rlogin, rsh, and rcp to fail if they cannot negotiate the Kerberos protocol with the remote server.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16/sec-usr-cfg-xe-16-book/sec-cfg-kerberos.html
@admin
Question 6:
From the line “login authentication local” we know that the router uses the local database for authentication so the password should be “Cisco”. –> NOT TURE!!!
because “local” in the command below is the name of the Authentication list! sp the first and only entry in the list is “tacacs+”…
login authentication local tacacs+
@digitaltut
Question 1:
I checked with Cisco Packet Tracer that local usernames are case-insensitive by default:
Router>enable
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#username CcNPa password cisco
Router(config)#line con 0
Router(config-line)#login local
Router(config-line)#end
Router#
%SYS-5-CONFIG_I: Configured from console by console
Router#exit
Router con0 is now available
Press RETURN to get started.
User Access Verification
Username: ccnpa
Password:
Router>
To force the case-sensitive I had to apply the following commands:
Router>enable
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#aaa new-model
Router(config)#aaa authentication login local local-case
Router(config)#line con 0
Router(config)#line con 0
Router(config-line)#aaa authentication login local local-case
I tested the code and now it’s case sensitive.
Question 6:
I used the Cisco Packet Tracer too.
Router(config-line)#login authentication ?
WORD authenticate using aaa method list
default authenticate using aaa default list
As you can see, the router expects the aaa method list. In this case, the method list named local uses the tacacs+ username and password, not the local database. Answer for question 6 is B, Tommy.
To access using the “Cisco” password, the command should be login local, not login authentication local.
@digitaltut
User named “ccnpa” is right. The command is expecting AAA list:
Router(config-line)#login authentication ?
WORD authenticate using aaa method list
default authenticate using aaa default list
-> Thus TACACS+ will be used for the authentication, the answer should be B “Tommy”.
@digitaltut
Please review Question 6.
Q6: I believe the exhibit shown itself is incorrect. The command statement is invalid/incomplete.
The format must be:
aaa [ authentication | authorization | accounting ] { | default } { local | group ( radius | tacacs ) }
On that note, the command must be:
aaa authentication login local group tacacs+ (Note that the command is missing the word “group”)
In this case, the answer would “Tommy” since the command until line con 0, states “authentication login local” where local is referring to the method list-name.
For further info:https://learningnetwork.cisco.com/s/article/introduction-to-aaa-implementation
I agree with uy
I bet this is from those questions that Cisco doesnt mark as they are incorrect….
I agree with @YourFriendlyNeighboorhoodSpiderMan, @ccnpa, @questioner n, @doka, @DJ, @Zagi, @Gabriel8338, @AT, @HM, @tmr, @contoso, @Anonymous
@digitaltut Please correct Q6 to D (the exhibit has impossible config but D is most logical, others are strait wrong) – having 20+y networking exp.
LAB:
R1(config)#aaa authentication login local tacacs+
*Apr 5 23:15:41.031: %AAAA-3-BADMETHNAME: Bad authentication method-list name “local” rejected
R1(config)#do sh run | i aaa
aaa new-model
aaa session-id common
R1(config)#aaa authentication login local-1 tacacs+
R1(config)#do sh run | i aaa auth
aaa authentication login local-1 group tacacs+
>>> So, command “aaa authentication login local tacacs+” will be never shown in the config for 2 reasons:
#1 group name of “local” is illegal/prohibited
#2 if entered with legal group name like “local-1” it will be accepted but in config it will be presented with “group” keyword
However if “local” group would be accepted and “group” keyword will be there than option D is correct.
Option A is incorrect because following config:
line con 0
login authentication local
Says login against authentication group with name “local”. It does not says authenticate with local database.
If we want to authenticate with local database we have 3 options:
#1
aaa new-model
aaa authentication login local-1 group local
line con 0
login authentication local
#2
aaa new-model
aaa authentication login default local
line con 0
login authentication default (this is default command and will be not visible in show run)
#3
no aaa new-model
line con 0
login local
FunFact: On IOU (not on IOS nor NX-OS) I was able to produce impossible “login authentication local” under console config.
If we use option #3 as a starting point and than turn on aaa new-model:
IOU1(config)#do sh run | sec con 0
line con 0
login local
IOU1(config)#aaa new-model
IOU1(config)#do sh run | sec con 0
line con 0
login authentication local
However it will not work as expected and authenticate user right away without asking for any password.
IOU1 con0 is now available
Press RETURN to get started.
IOU1>en
IOU1#sh run | sec con 0
line con 0
login authentication local
IOU1#
@digitut
For Q3) answer should be C as per your explanation.
We dont require it to be:
– aaa authentication login default group tacacs+ none
as the question says ” The login method is configured on the VTY lines ” so the answer should be from choice C
– aaa authentication login VTY group tacacs+ none
and if im wrong can somebody correct me please.
@digitaltut please update Question 6 as there are plenty of evidence that the correct option is D. Tommy
hate those tricky questions
Router(config)# aaa authentication login local group tacacs+
Router(config)#
*Apr 16 07:32:28.944: %AAAA-4-BADMETHNAME: Bad authentication method-list name “local” (this is only a warning)
Router(config)#
Router(config)#do sh run | inc aaa
aaa new-model
aaa session-id common
Router(config)#
I think the explanation for Q3 could be a little clearer.
If I understand correctly the use of the word “Default” overrides the password config applied directly to the VTY. So its not that it is unnecessary its actually overridden.
Is this correct?
I initially thought D was correct but then realised there may be an implicit Transport input all, which means specifying telnet is no good.