A network engineer is configuring AAA on a Cisco ISR router to authenticate administrative users via a RADIUS server. The engineer configures the router with the command 'aaa new-model' and then 'aaa authentication login default group radius local'. When the engineer attempts to SSH to the router using a username that exists only on the RADIUS server, the authentication fails. The RADIUS server is reachable and the shared secret is correct. What is the most likely cause of the failure?
Trap 1: The router's SSH service is not enabled.
Incorrect because the scenario states the engineer is attempting SSH, and the failure is during authentication, not connectivity.
Trap 2: The 'aaa new-model' command must be followed by a 'aaa…
Incorrect because the engineer wants to use RADIUS first, and the configuration is correct; the issue is not the order of commands but the behavior of RADIUS rejection.
Trap 3: The router's VTY lines are not configured to use the default…
Incorrect because the default authentication list is automatically applied to all login methods (including SSH) unless overridden on the line.
- A
The router's SSH service is not enabled.
Why wrong: Incorrect because the scenario states the engineer is attempting SSH, and the failure is during authentication, not connectivity.
- B
The RADIUS server is rejecting the authentication because the user is not defined on the server, and the 'local' fallback only applies if the server is unreachable.
Correct because the 'group radius local' method list tries RADIUS first; if RADIUS responds with a reject (user not found), the router does not fall back to local. The fallback only occurs if the RADIUS server does not respond.
- C
The 'aaa new-model' command must be followed by a 'aaa authentication login default local' command to use local authentication.
Why wrong: Incorrect because the engineer wants to use RADIUS first, and the configuration is correct; the issue is not the order of commands but the behavior of RADIUS rejection.
- D
The router's VTY lines are not configured to use the default authentication list.
Why wrong: Incorrect because the default authentication list is automatically applied to all login methods (including SSH) unless overridden on the line.