Implementing and Operating Cisco Enterprise Network Core Technologies (ENCOR) — Question 558

An engineer must configure an EXEC authorization list that first checks a AAA server then a local username. If both methods fail, the user is denied. Which configuration should be applied?

Answer options

• A. aaa authorization exec default local group radius none
• B. aaa authorization exec default group radius local none
• C. aaa authorization exec default group radius local
• D. aaa authorization exec default local group tacacs+

Correct answer: C

Explanation

The correct answer, C, specifies that the EXEC authorization should first check the radius group and then fall back to local authentication if radius fails. Option A incorrectly places local authentication before the radius group, while option B lacks the necessary configuration to deny access if both checks fail. Option D incorrectly uses tacacs+ instead of radius, which does not align with the requirement.