Implementing Cisco Enterprise Advanced Routing and Services (ENARSI) — Question 306

The network administrator is tasked to configure R1 to authenticate telnet connections based on Cisco ISE using RADIUS. ISE has been configured with an IP address of 192.168.1.5 and with a network device pointing towards R1 (192.168.1.1) with a shared secret password of Cisco123. If ISE is down, the administrator should be able to connect using the local database with a username and password combination of admin/cisco123.

The administrator has configured the following on R1:

aaa new-model
!
username admin password cisco123
!
radius server ISE1
address ipv4 192.168.1.5
key Cisco123
!
aaa group server tacacs+ RAD-SERV
server name ISE1
!
aaa authentication login RAD-LOCAL group RAD-SERV

ISE has gone down. The Network Administrator is not able to Telnet to R1 when ISE went down. Which two configuration changes will fix the issue? (Choose two.)

Answer options

• A. aaa authentication login RAD-SERV group RAD-LOCAL local
• B. aaa authentication login RAD-LOCAL group RAD-SERV local
• C. line vty 0 4 login authentication RAD-LOCAL
• D. line vty 0 4 login authentication default
• E. line vty 0 4 login authentication RAD-SERV

Correct answer: B, C

Explanation

Option B correctly sets the authentication method to first check the local database after the RADIUS server, while option C specifies that the vty lines should use the RAD-LOCAL authentication method. The other options either misconfigure the groups or do not properly utilize the local database when ISE is down, leading to failed Telnet access.