AAA Questions

Note: If you are not sure about AAA, please read our AAA TACACS+ and RADIUS Tutorial.

Question 1

Explanation

The keyword “local-case” will use case-sensitive local username for authentication so it will not solve this problem -> Answer A is not correct.

We test answer B on R1, answer C on R2 (also turned on debugging for AAA authentication via the “debug aaa authentication” command):

On R1:

So after adding the “login authentication Console” line under line configuration, AAA will prefer the authentication method listed under specific line configuration, which is “local” in this case.

On R2:

With two “aaa authentication login” commands, AAA prefers the default login method.

We also tried to put the “aaa authentication login console local” command in front of “aaa authentication login default group tacacs+ local” but the result is still the same.

About answer D, if we add “aaa authentication login default none” to the current configuration then the “aaa authentication login default group tacacs+ local” will be removed -> we can access this device without any authentication.

Question 2

Explanation

In the output we noticed that the “Destination unreachable; gateway or host down” notification while trying to communicate with the TACACS+ server. This means the TACACS+ server went down. So the next authentication method is via the local database (“Method=LOCAL”). But the authentication was failed again because of bad username, bad password or both.

Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/13864-tacacs-pppdebug.html