The correct answer is A. aaa authorization exec default group radius if-authenticated.
The key part of this question is the phrase “when all the RADIUS servers are unreachable” and “if the user has successfully authenticated.” In Cisco AAA, the if-authenticated keyword means that if the authorization server cannot be reached, the device grants authorization as long as the user has already been authenticated successfully. Cisco documentation explicitly states that with:
aaa authorization exec default group radius if-authenticated
the device contacts the RADIUS server for EXEC authorization, and if an error occurs contacting the server, the fallback is to permit the CLI to start, provided the user has been properly authenticated.
aaa authentication login default group radius local
So, if RADIUS is down, login can fall back to the local user database.
aaa authorization exec default group radius if-authenticated
ensures that once the user is authenticated, authorization is permitted even if RADIUS is unreachable. This is the Cisco-supported fallback behavior for AAA authorization.
B. aaa authorization exec default group radius none The none method means no authorization is performed if the previous method fails, but this is not the Cisco ENCOR-recommended method for allowing access after successful authentication. The question specifically targets the if-authenticated authorization fallback behavior.
C. aaa authorization exec default group radius This attempts authorization through RADIUS only. If the RADIUS servers are unreachable, authorization fails and the administrator may not be able to proceed.
D. aaa authentication login default group radius local none This is an authentication command, not an authorization command, so it does not solve the requirement to authorize commands after login.
ENCOR exam point:
Remember the difference:
For Cisco AAA fallback behavior:
