Home > AAA Questions

AAA Questions

January 28th, 2021 in ENCOR 350-401 Go to comments

Note: If you are not sure about AAA, please read our AAA TACACS+ and RADIUS Tutorial (on 9tut.com).

Question 1

Question 2

Explanation

The “aaa authentication login default local group tacacs+” command is broken down as follows:

+ The ‘aaa authentication’ part is simply saying we want to configure authentication settings.
+ The ‘login’ is stating that we want to prompt for a username/password when a connection is made to the device.
+ The ‘default’ means we want to apply for all login connections (such as tty, vty, console and aux). If we use this keyword, we don’t need to configure anything else under tty, vty and aux lines. If we don’t use this keyword then we have to specify which line(s) we want to apply the authentication feature.
+ The ‘local group tacacs+” means all users are authenticated using router’s local database (the first method). If the credentials are not found on the local database, then the TACACS+ server is used (the second method).

Question 3


Explanation

According to the requirements (first use TACACS+, then allow login with no authentication), we have to use “aaa authentication login … group tacacs+ none” for AAA command.

The next thing to check is the if the “aaa authentication login default” or “aaa authentication login list-name” is used. The ‘default’ keyword means we want to apply for all login connections (such as tty, vty, console and aux). If we use this keyword, we don’t need to configure anything else under tty, vty and aux lines. If we don’t use this keyword then we have to specify which line(s) we want to apply the authentication feature.

From above information, we can find out answer C is correct. Although the “password 7 0202039485748” line under “line vty 0 4” is not necessary.

If you want to learn more about AAA configuration, please read our AAA TACACS+ and RADIUS Tutorial – Part 2.

For your information, answer D would be correct if we add the following command under vty line (“line vty 0 4”): “login authentication telnet” (“telnet” is the name of the AAA list above)

Question 4

Question 5

Explanation

The “autocommand” causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and can contain embedded spaces, commands using the autocommand keyword must be the last option on the line. In this specific question, we have to enter this line “username CCNP autocommand show running-config”.

Question 6

Explanation

In this question, there are two different passwords for user “tommy”:
+ In the TACACS+ server, the password is “Tommy”
+ In the local database of the router, the password is “Cisco”.

From the line “login authentication local” we know that the router uses the local database for authentication so the password should be “Cisco”.

Note: “… password 0 …” here means unencrypted password.

Comments
  1. Anonymous
    February 17th, 2021

    Question 1

    B. TACACS+ authentication uses an RSA server to authenticate users
    C. Local user names are case-insensitive

    B and C I think are also true

    Digitaltut can you look in this one

  2. Anonymous
    March 17th, 2021

    Q6.
    aaa authentication login local tacacs+ | local keyword defines authentication methods when it is applied manually under console line with #login authentication local
    \\in this case the password should be “Tommy” (correct answer D)

    if the line console configuration was like #line console 0 > login local , the password would be “Cisco”

  3. Da Hulk
    March 23rd, 2021

    @Digitaltut

    Please look into Q.6 as it appears the passwords in the answers are not correctly placed. Thanks in advance.

  4. Anonymous
    April 10th, 2021

    Keyword local in the command ” aaa authentication login local ” is related to AAA method name not local database so, method named local is indicating to tacacs server that indicates to password Tommy so, Answer is D
    Thanks & Best Regards,

  5. contoso
    April 12th, 2021

    Q6, the syntax used in exhibit was wrong in the first place.

    correct one:
    aaa authentication login [authentication list name] [default] group tacacs+

    and in line con 0 if using the command ?
    Router(config-line)#login authentication ?
    WORD Use an authentication list with this name.
    default Use the default authentication list.

    we may use the [authentication list name] or [default] here.
    in the exhibit, it used “local” as authentication list, followed by the tacacs+ only. (could be typo in there, which missing “group” before tacacs+)

  6. tmr
    April 13th, 2021

    i agree in Q 6 the answer should be Tommy ……

    ADMIN….. PLease look into it

  7. HM
    April 14th, 2021

    @digitaltut

    Please check Q6

    local is the name of the list, not the authentication method. Please check the answer again.

  8. thorr18
    April 18th, 2021

    “Which two statements about AAA authentication are true?”
    If you use “local” instead of “local-case” then the username is not case-sensitive.
    The question does not accept “Local user names are case-insensitive”
    I proved it on lab with this, *not* using “local-case”:
    !
    aaa new-model
    aaa authentication login default local enable
    aaa authentication login ADMIN local
    username CCNP secret Str0ngP@ssw0rd!
    line 0 4
    login authentication ADMIN
    !

  9. AT
    May 6th, 2021

    @digitaltut

    HM is right, about Q6.
    “local” is the name of the list, not an authentication method.
    Correct answer should be “Tommy”

    Please check again

  10. CC
    May 29th, 2021

    Q6 should be D) Tommy since local is the list name applied to con0, am i missing this all together?

  11. hyper-coronow
    May 30th, 2021

    about q6,I think q6 collect answer is cisco.
    cause line con 0 was Specified to use local database.

  12. Gabriel8338
    June 30th, 2021

    Q6

    If Q4 Answer= The device will authenticate all users connecting to vty lines 0 through 4 against TACACS+;
    Q6 Answer=Tommy

    Correct answer should be “Tommy”

    @digitaltut
    Please check again

  13. Zagi
    December 5th, 2021

    Which password allows access to line con 0 for a username of “tommy” under normal operation?

    I think is correct answer is C: Tommy.

    We have a command:
    aaa authentication login local tacacs+

    Where is local – authentication list, that is the name for tacacs+! This name called in line console!

    This means that authentication is via tacacs+ server.

  14. DJ
    December 20th, 2021

    For question: “Which password allows access to line con 0 for a username of “tommy” under normal operation?”

    I think the correct answer is: “Tommy” because as per the command aaa authentication login local tacacs+, “login” is the AAA list name.

    @digitaltut – Kindly please check again.

  15. doka
    January 30th, 2022

    About Q6. I have tested and the correct answer is “Tommy”

    sh run:
    aaa new-model
    !
    aaa authentication login LOCAL group tacacs+ (LOCAL is a list name)
    !
    username tommy password 0 Cisco
    tacacs-server host 10.0.1.5 key cisco
    !
    !
    line con 0
    login authentication LOCAL (list name)

    It only works with the password “Tommy” !!

  16. Anonymous
    February 17th, 2022

    method

    Specifies at least one of these keywords:

    ■ enable: Uses the enable password for authentication

    ■ krb5: Uses Kerberos 5 for authentication

    ■ krb5-telnet: Uses the Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router

    ■ line: Uses the line password for authentication

    ■ local: Uses the local username database for authentication

    ■ local-case: Uses case-sensitive local username authentication

    ■ none: Uses no authentication

    ■ group radius: Uses the list of all RADIUS servers for authentication

    ■ group tacacs+: Uses the list of all TACACS+ servers for authentication

    ■ group group-name: Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ commands

  17. questioner n
    August 5th, 2022

    @admin
    Question 1:
    C. Local user names are case-insensitive
    D. Local authentication is maintained on the router
    E. KRB5 authentication disables user access when an incorrect password is entered

    C-> is correct: by default username is not case sensitive
    D-> is correct: local is local!
    E-> incorrect: This is an option and not default behaviour!
    it is true only by the command below
    Router(config)# kerberos clients mandatory
    Sets Telnet, rlogin, rsh, and rcp to fail if they cannot negotiate the Kerberos protocol with the remote server.
    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16/sec-usr-cfg-xe-16-book/sec-cfg-kerberos.html

  18. questioner n
    August 5th, 2022

    @admin
    Question 6:
    From the line “login authentication local” we know that the router uses the local database for authentication so the password should be “Cisco”. –> NOT TURE!!!

    because “local” in the command below is the name of the Authentication list! sp the first and only entry in the list is “tacacs+”…
    login authentication local tacacs+

  19. ccnpa
    August 22nd, 2022

    @digitaltut

    Question 1:

    I checked with Cisco Packet Tracer that local usernames are case-insensitive by default:

    Router>enable
    Router#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)#username CcNPa password cisco
    Router(config)#line con 0
    Router(config-line)#login local
    Router(config-line)#end
    Router#
    %SYS-5-CONFIG_I: Configured from console by console

    Router#exit

    Router con0 is now available

    Press RETURN to get started.

    User Access Verification

    Username: ccnpa
    Password:

    Router>

    To force the case-sensitive I had to apply the following commands:

    Router>enable
    Router#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)#aaa new-model
    Router(config)#aaa authentication login local local-case
    Router(config)#line con 0
    Router(config)#line con 0
    Router(config-line)#aaa authentication login local local-case

    I tested the code and now it’s case sensitive.

    Question 6:

    I used the Cisco Packet Tracer too.

    Router(config-line)#login authentication ?
    WORD authenticate using aaa method list
    default authenticate using aaa default list

    As you can see, the router expects the aaa method list. In this case, the method list named local uses the tacacs+ username and password, not the local database. Answer for question 6 is B, Tommy.

    To access using the “Cisco” password, the command should be login local, not login authentication local.

  20. YourFriendlyNeighboorhoodSpiderMan
    September 10th, 2022

    @digitaltut
    User named “ccnpa” is right. The command is expecting AAA list:
    Router(config-line)#login authentication ?
    WORD authenticate using aaa method list
    default authenticate using aaa default list

    -> Thus TACACS+ will be used for the authentication, the answer should be B “Tommy”.

  21. YourFriendlyNeighboorhoodSpiderMan
    September 24th, 2022

    @digitaltut

    Please review Question 6.

  22. uy
    November 12th, 2022

    Q6: I believe the exhibit shown itself is incorrect. The command statement is invalid/incomplete.
    The format must be:
    aaa [ authentication | authorization | accounting ] { | default } { local | group ( radius | tacacs ) }

    On that note, the command must be:
    aaa authentication login local group tacacs+ (Note that the command is missing the word “group”)

    In this case, the answer would “Tommy” since the command until line con 0, states “authentication login local” where local is referring to the method list-name.

    For further info:https://learningnetwork.cisco.com/s/article/introduction-to-aaa-implementation

  23. Anonymous
    January 13th, 2023

    I agree with uy
    I bet this is from those questions that Cisco doesnt mark as they are incorrect….

  24. NX
    April 6th, 2023

    I agree with @YourFriendlyNeighboorhoodSpiderMan, @ccnpa, @questioner n, @doka, @DJ, @Zagi, @Gabriel8338, @AT, @HM, @tmr, @contoso, @Anonymous

    @digitaltut Please correct Q6 to D (the exhibit has impossible config but D is most logical, others are strait wrong) – having 20+y networking exp.

    LAB:
    R1(config)#aaa authentication login local tacacs+
    *Apr 5 23:15:41.031: %AAAA-3-BADMETHNAME: Bad authentication method-list name “local” rejected
    R1(config)#do sh run | i aaa
    aaa new-model
    aaa session-id common

    R1(config)#aaa authentication login local-1 tacacs+
    R1(config)#do sh run | i aaa auth
    aaa authentication login local-1 group tacacs+

    >>> So, command “aaa authentication login local tacacs+” will be never shown in the config for 2 reasons:
    #1 group name of “local” is illegal/prohibited
    #2 if entered with legal group name like “local-1” it will be accepted but in config it will be presented with “group” keyword

    However if “local” group would be accepted and “group” keyword will be there than option D is correct.

    Option A is incorrect because following config:
    line con 0
    login authentication local

    Says login against authentication group with name “local”. It does not says authenticate with local database.

    If we want to authenticate with local database we have 3 options:

    #1
    aaa new-model
    aaa authentication login local-1 group local
    line con 0
    login authentication local

    #2
    aaa new-model
    aaa authentication login default local
    line con 0
    login authentication default (this is default command and will be not visible in show run)

    #3
    no aaa new-model
    line con 0
    login local

    FunFact: On IOU (not on IOS nor NX-OS) I was able to produce impossible “login authentication local” under console config.
    If we use option #3 as a starting point and than turn on aaa new-model:

    IOU1(config)#do sh run | sec con 0
    line con 0
    login local
    IOU1(config)#aaa new-model
    IOU1(config)#do sh run | sec con 0
    line con 0
    login authentication local

    However it will not work as expected and authenticate user right away without asking for any password.
    IOU1 con0 is now available
    Press RETURN to get started.

    IOU1>en
    IOU1#sh run | sec con 0
    line con 0
    login authentication local
    IOU1#

  25. AMS
    May 14th, 2023

    @digitut

    For Q3) answer should be C as per your explanation.
    We dont require it to be:
    – aaa authentication login default group tacacs+ none
    as the question says ” The login method is configured on the VTY lines ” so the answer should be from choice C
    – aaa authentication login VTY group tacacs+ none

    and if im wrong can somebody correct me please.

  26. abcd
    September 17th, 2023

    @digitaltut please update Question 6 as there are plenty of evidence that the correct option is D. Tommy

  27. ccnp2024
    April 16th, 2024

    hate those tricky questions

    Router(config)# aaa authentication login local group tacacs+
    Router(config)#
    *Apr 16 07:32:28.944: %AAAA-4-BADMETHNAME: Bad authentication method-list name “local” (this is only a warning)
    Router(config)#
    Router(config)#do sh run | inc aaa
    aaa new-model
    aaa session-id common
    Router(config)#

  28. anon
    July 19th, 2024

    I think the explanation for Q3 could be a little clearer.

    If I understand correctly the use of the word “Default” overrides the password config applied directly to the VTY. So its not that it is unnecessary its actually overridden.

    Is this correct?

    I initially thought D was correct but then realised there may be an implicit Transport input all, which means specifying telnet is no good.

  1. No trackbacks yet.