If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events
will occur when the TACACS+ server returns an error? (Choose two.)
A.
 Authentication attempts to the router will be denied
B.
 The user will be prompted to authenticate using the enable password
C.
 Authentication will use the router’s local database
D.
 Authentication attempts will be sent to the TACACS+ server
Explanation:
Brad
Answer- B and C
Confidence level: 60%
Notes: This is a widely debated question. See below:
– D is known incorrect. The router will eventually attempt to communicate with the TACACS server again, but
not immediately.
– We know B is correct based on the command line
– Cisco devices store the enable password locally, and default behavior is for Cisco devices to fallback to local
authentication when a TACACS/Radius server is down or returns an error. This is why I choose answer C.
– A user on the securitytut forums said that they labbed this scenario up and that A is a correct answer, not C. I
have no way of verifying whether that user made a mistake or not, so I am sticking with the answer my research
turned up.
BD
Two things I need to say. One, local database has nothing to do with enable secret/password as it is literally
created using username/password command combinations. Second there is no fallback safety failover with aaa
if you specify exact methods. Those exact methods are the only methods used, nothing else.
On the previous post I pasted an output for the authentication process with TACACS+ and enable. At a point
there was a timeout message which resulted in switching to the second authentication method, ENABLE.“Use the timeout integer argument to specify the period of time (in seconds) the router will wait for a response
from the daemon before it times out and declares an error.”
As a reference I used http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/
scftplus.html
What concerns me is „If an ERROR response is received, the network access server will typically try to use an
alternative method for authenticating the user.” It doesn’t specifically say „The router retries to connect with the
TACACS+”.