Exhibit
R1# show running-config | section aaa aaa new-model aaa authentication login default group radius local radius server RADIUS address ipv4 192.0.2.10 key cisco123 ! R1# show aaa servers RADIUS: id 1, priority 1, host 192.0.2.10, auth-port 1812, acct-port 1813 State: current UP, duration 120s, previous duration 0s Dead: total 0, retransmit 0 SW1# show running-config | section dot1x dot1x system-auth-control dot1x port-control auto interface GigabitEthernet0/1 switchport mode access dot1x pae authenticator dot1x timeout reauth-period 3600 ! SW1# show authentication sessions interface GigabitEthernet0/1 Interface: GigabitEthernet0/1 MAC Address: Unknown IP Address: Unknown Status: Unauthorized Domain: DATA Oper host mode: single-host Session timeout: N/A Common Session ID: 0000000000000000000000 Acct Session ID: 0x00000000 Auth Method: dot1x SW1# show dot1x all summary Interface PAE Authenticator Supplicant Server Gi0/1 AUTH UNAUTHORIZED N/A N/A
- A
R1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius local', 'line vty 0 4', 'login authentication default'. SW1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication dot1x default group radius', 'dot1x system-auth-control', 'interface GigabitEthernet0/1', 'authentication port-control auto', 'dot1x pae authenticator'.
This option correctly configures AAA with RADIUS for SSH login on R1, including fallback to local, and properly configures 802.1X on SW1 with RADIUS authentication for dot1x, which resolves the unauthorized port issue.
- B
R1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius local', 'line vty 0 4', 'login authentication default'. SW1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius', 'dot1x system-auth-control', 'interface GigabitEthernet0/1', 'authentication port-control auto', 'dot1x pae authenticator'.
Why wrong: This is incorrect because the switch uses 'aaa authentication login default group radius' instead of 'aaa authentication dot1x default group radius'. The 'login' method is for device administration, not for 802.1X network access.
- C
R1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius', 'line vty 0 4', 'login authentication default'. SW1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication dot1x default group radius', 'dot1x system-auth-control', 'interface GigabitEthernet0/1', 'authentication port-control auto', 'dot1x pae authenticator'.
Why wrong: This is incorrect because R1's AAA login method does not include 'local' as a fallback. If the RADIUS server is unreachable, authentication will fail, which violates the requirement to fall back to the local database.
- D
R1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius local', 'line vty 0 4', 'login authentication default'. SW1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication dot1x default group radius', 'dot1x system-auth-control', 'interface GigabitEthernet0/1', 'authentication port-control auto'.
Why wrong: This is incorrect because the switch interface is missing the 'dot1x pae authenticator' command. Without this, the port cannot act as an 802.1X authenticator, so it remains unauthorized.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.