The login method is configured on the VTY lines of a router with these parameters:
* The first method for authentication is TACACS
* If TACACS is unavailable, login is allowed without any provided credentials
Which configuration accomplishes this task?
A.
B.
C.
D.
The correct configuration is D. Here's why: The configuration requirement specifies that the first method for authentication should be TACACS and if TACACS is unavailable, login should be allowed without any provided credentials. The command 'aaa authentication login default group tacacs+ none' in option D accomplishes this task. This command sets the default login authentication method to use TACACS first, and if TACACS is not available, it allows login without requiring any credentials ('none' keyword). The other options either do not properly specify the fallback method, or incorrectly configure the authentication list.
gentlemen, here some helping thoughts. aaa new-model invalidates the previous configuration aaa authentication login <name OR default> group <Radius or TACACS> <fall back mechanisms such as NONE> DO NOT be confused by VTY or TELNET in the AAA Authentication List name which is just a name and lists the options to the right of it. the requirements of TACACS and NO PASSWORD -> always watch out that you have the NO PASSWORD = NONE keyword at the end of the line. next is the question about LOGIN to LOGIN only you dont need a LINE VTY LOGIN AUTHENTICATION LOCAL or PASSWORD XZY as these would be only required if you wanted to ellevate your default priv-level from 1 to a higher number (in this case 15) HTH
So A is the correct Answer ,right ?
my mistake. If you use "default" group nothing needs to be added to vty line. Correct is C
Did you mean answer D? Answer C has a group name.
agree. essentially on the VTY lines, you will have to use "login authentication telnet" or "login authentication VTY". But when using default, you wont have to do this.
XalaGyan's explanation very precise and clear = thx, and leads to the answer "D" (lab it, I did it in GNS3)
The given answer is correct (the aaa new-model disables the line password)
I'm pretty sure the answer is D. The aaa auth line is OK, it uses default autentication list with tacacs and for fallback method none. aaa new-model overdides password line form vty section so we can ignore it.
D is correct answer
Guys, I did not see any correct answers from provided choices, if you use "none" keyword in the end you fail to connect after tacacs failure: cisco_R3(config-line)#do s runn | s aaa aaa new-model aaa authentication login test_0 group tacacs+ none aaa session-id common cisco_R3(config-line)# cisco_R3(config-line)#do s runn | s vty 0 4 line vty 0 4 exec-timeout 30 0 password 7 06030B logging synchronous login authentication test_0 transport input telnet cisco_R3(config-line)#
when you connect from linux you see this: root@eve-ng:~# telnet 192.168.255.3 Trying 192.168.255.3... Connected to 192.168.255.3. Escape character is '^]'. % Authorization failed. Connection closed by foreign host. root@eve-ng:~#
when you change none -> line Cisco IOS will use local line password: cisco_R3(config-line)#aaa authentication login test_0 group tacacs+ line cisco_R3(config)# ### linux root@eve-ng:~# telnet 192.168.255.3 Trying 192.168.255.3... Connected to 192.168.255.3. Escape character is '^]'. user ed password ed Password: cisco_R3>ena Password: cisco_R3#
i do not know the correct answer to this Q...
The fault with your lab is that you used a name for the AAA Authentication but did not apply the AAA authentication name to the VTY so it resorted to 'default' You need to use 'default' in the AAA authentication. aaa authentication login default group tacacs+ none rather than aaa authentication login test_0 group tacacs+ none
transport input method should be defined under line vty line vty 0 4 password 7 02050D480809 transport input telnet R9#sh run | sec aaa aaa new-model aaa authentication login default group tacacs+ none aaa session-id common R7#telnet 155.1.79.9 Trying 155.1.79.9 ... Open R9>
I'm a bit confused on this one. Shouldn't the answer be A? The question says 'If TACACS is unavailable, login is allowed without any provided credentials' Answer D has a password configured on the VTY line - doesn't this mean you'd need to provide credentials to log in, meaning D is incorrect? A is the same as D but doesn't have a password configured, so shouldn't the answer then be A?
ignore my point, A configures telnet so the answer probably is D as examShark has pointed out
Actually A isn't managing telnet protocol but rather named the AAA authentication 'telnet' Which is still wrong since you need it to be default.
D is correct
my mistake. If you use "default" group nothing needs to be added to vty line. Correct is C
Did you mean answer D? Answer C has a name for the group, D has Default
question seem to be incorrect. to use aaa on vty you need a command "login authentication <aaa group name>". If only password is configured it will prompt for username
You don't need to specify login authentication <group> in VTY if the AAA Authentication was assigned to default.