Exam 350-601 topic 1 question 262 discussion

It's "B". Fallback is on by default Disabling Fallback to Local Authentication By default, if remote authentication is configured for console or default login and all AAA servers are unreachable (resulting in an authentication error), the Cisco NX-OS device falls back to local authentication to ensure that users are not locked out of the device. However, you can disable fallback to local authentication in order to increase security. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_0111.html

it doesn't state that fallback is enabled or disabled, therefore, to ensure that fallback is already not disable, we can use "aaa authentication login default fallback error local"

Answer is C

“The fallback error local method enables fallback to local authentication for the default login if remote authentication is configured and all AAA servers are unreachable. Fallback to local authentication is enabled by default.” It is B because it is the only one with radius and local authentication is included by default

Assuming the MDS behaves the same as Nexus, it should be B (fallback is enabled by default, and the "local" keyword is not required).

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5-x/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5-x_chapter_0100.html

Answer is C. The lnk to Nexus 9000 is incorrect. The question is about MDS: Configuring Fallback Mechanism for Authentication https://www.cisco.com/c/en/us/td/docs/dcn/mds9000/sw/9x/configuration/security/cisco-mds-9000-nx-os-security-configuration-guide-9x.pdf

The default login method is local , which is used when no methods are configured or when all the configured methods fail to respond, unless fallback to local is disabled for the console login. The local keyword is not supported (and is not required) when configuring AAA authentication groups because local authentication is the default if remote servers are unreachable. For example, if you configure aaa authentication login default group g1 , local authentication is tried if you are unable to authenticate using AAA group g1. In contrast, if you configure aaa authentication login default group g1 none , no authentication is performed if you are unable to authenticate using AAA group g1.

The local option is the default method when other configured options fail. You can disable the local option for the console or default login by using the no aaa authentication login { console | default } fallback error local command.

is B https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html#:~:text=All%20users%20are%20authenticated%20with%20the%20Radius%20server%20(the%20first%20method).%20If%20the%20Radius%20server%20does%20not%20respond%2C%20then%20the%20router%20local%20database%20is%20used%20(the%20second%20method).%20For%20local%20authentication%2C%20define%20the%20username%20name%20and%20password%3A

C. aaa authentication login default fallback error local

I bet this is B as the referenced link states (under Configuring Default Login Authentication Methods): The default console login method is local, which is used when no methods are configured or when all the configured methods fail to respond, unless fallback to local is disabled for the console login. AND ...The local keyword is not supported (and is not required) when configuring AAA authentication groups because local authentication is the default if remote servers are unreachable. For example, if you configure aaa authentication login default group g1, local authentication is tried if you are unable to authenticate using AAA group g1.