Exam 400-101 | Question id=1152 | Infrastructure Security |
Which of the following commands should you issue to ensure that the enable password will be used if a RADIUS server is unavailable?
A. |
aaa accounting exec enable start-stop group radius | |
B. |
aaa accounting connection default start-stop group radius | |
C. |
aaa authorization exec default group radius local | |
D. |
aaa authorization exec default group radius if-authenticated | |
E. |
aaa authentication enable default group radius enable | |
F. |
aaa authentication login default local |
You should issue the aaa authentication enable default group radius enable command to ensure that the enable password will be used if a Remote Authentication Dial In User Service (RADIUS) server is unavailable. Authentication, Authorization, and Accounting (AAA) is used to control access to a router or switch. When implementing AAA, you can configure users to be authenticated against a local database, against a RADIUS server, or against a Terminal Access Controller Access Control System Plus (TACACS+) server. For AAA authentication to be used with a RADIUS server, a RADIUS server must exist on the network. However, you can configure a router so that if a RADIUS server becomes unavailable, the enable password can be used for authentication. This is accomplished by issuing the aaa authentication enable default group radius enable command. The aaa authentication command can be used to configure AAA authentication on a router or a switch.
The first enable parameter specifies that the command applies to the enable mode. The default keyword specifies that the default authentication list should be used. The group radius keywords specify that the RADIUS server should be used. The final enable keyword specifies that if the RADIUS server is unavailable, the enable password should be used.
The aaa authentication login default local command is used to configure AAA authentication to use the local database for authentication purposes. This command does not ensure that the enable password will be used if a RADIUS server is unavailable.
The aaa accounting command is used to enable AAA accounting on a router. The syntax of the aaa accounting command is aaa accounting {authproxy | system | network| exec | connection | commandslevel} {default | listname} [vrfvrfname] {startstop | stoponly | none} [broadcast] group groupname. Although the aaa accounting exec enable startstop group radius command and the aaa accounting connection default start-stop group radius command are valid IOS commands, they do not ensure that the enable password will be used if a RADIUS server is unavailable.
Instead, these commands configure AAA accounting with the defined parameters. The aaa authorization command is used to configure AAA authorization on a router. The syntax of the aaa authorization command is aaa authorization {network | exec | commandslevel | reverseaccess | configuration} {default | listname} method1[method2…]. Although the aaa authorization exec default group radius local command and the aaa authorization exec default group radius if-authenticated command are valid IOS commands, they do not ensure that the enable password will be used if a RADIUS server is unavailable. Instead, these commands configure AAA authorization with the parameters defined.