The user is successfully authenticated but is not granted the correct privilege level. This occurs because the TACACS+ server is reachable and authorizes the user but fails to return the shell:priv-lvl=15 attribute, causing the router to default to privilege level 1. The original default authorization list's fallback method (local) is never used because the primary method (group tacacs+) succeeds.

Option C resolves this for console access by creating a new authorization list CON with the method none. Applying this list to line con 0 bypasses the TACACS+ authorization check for console logins. When authorization is set to none, the privilege level is determined by the authentication source. Since the user cisco is configured locally with privilege 15, this level is granted upon successful authentication.

A: The if-authenticated keyword is a fallback method used only when TACACS+ servers are unreachable. The current issue is a server misconfiguration, not an outage, so this change has no effect.

B: The none keyword as a fallback is also only used when TACACS+ servers are unreachable. It would not be triggered in this scenario where the server is responding.

D: This globally changes the primary authorization method to local for all lines. While it would work, it is a less targeted solution and alters the intended security policy for all access methods.

1. Cisco IOS Security Configuration Guide: Securing User Services

Release 15M&T

"Configuring Authorization" chapter

"EXEC Authorization" section.

This guide explains that if a remote AAA server authorizes an EXEC session but does not specify a privilege level

the user is placed at privilege level 1. This confirms the cause of the problem. It also details how to apply a named authorization list to a specific line

as shown in Option C.

2. Cisco IOS Security Command Reference

"aaa authorization" command documentation.

This reference details the none keyword for the aaa authorization command

stating: "No authorization is performed. If the security server fails to respond

the user is automatically granted the privilege level associated with that user

as specified in the local database." This supports the mechanism by which Option C solves the issue for the console line.

3. Cisco IOS Security Configuration Guide: Securing User Services

Release 15M&T

"Configuring Authentication" chapter

"Authentication Method Lists" section.

This document clarifies that method lists are processed in sequential order. If the first method (e.g.

group tacacs+) returns a PASS

subsequent methods are not attempted. This explains why the local fallback in the original configuration was not being used and why options A and B are incorrect.