Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-401DomainsAAA, RADIUS, and TACACS+
350-401Free — No Signup

AAA, RADIUS, and TACACS+

Practice 350-401 AAA, RADIUS, and TACACS+ questions with full explanations on every answer.

58questions

Start practicing

AAA, RADIUS, and TACACS+ — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

350-401 Domains

ArchitectureEnterprise Network DesignSD-Access ArchitectureSD-WAN ArchitectureQoS ArchitectureVirtualizationNetwork Function VirtualizationVirtual Machines and HypervisorsVRF and Path IsolationInfrastructureOSPFBGPEIGRPVLANs and TrunkingSpanning Tree ProtocolEtherChannelWireless InfrastructureMPLSWAN TechnologiesNAT and DHCPIP MulticastQoSNetwork AssuranceSNMP and SyslogNetFlow and TelemetrySPAN and RSPANIP SLASecurityAAA, RADIUS, and TACACS+ACLs and CoPP802.1X and TrustSecVPN TechnologiesInfrastructure SecurityAutomationPython for Network AutomationAnsible AutomationREST APIs and Data ModelsCisco DNA CenterModel-Driven Telemetry

Practice AAA, RADIUS, and TACACS+ questions

10Q20Q30Q50Q

All 350-401 AAA, RADIUS, and TACACS+ questions (58)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A network engineer is configuring AAA on a Cisco ISR router to authenticate administrative users via a RADIUS server. The engineer configures the router with the command 'aaa new-model' and then 'aaa authentication login default group radius local'. When the engineer attempts to SSH to the router using a username that exists only on the RADIUS server, the authentication fails. The RADIUS server is reachable and the shared secret is correct. What is the most likely cause of the failure?

2

An enterprise network uses TACACS+ for device administration and RADIUS for network access (VPN and wireless). The TACACS+ server is configured to authorize commands. A network engineer notices that after a recent upgrade of the TACACS+ server software, some commands that were previously authorized are now being denied. The engineer checks the router configuration and sees 'aaa authorization commands 15 default group tacacs+'. The TACACS+ server logs show that the authorization requests are being sent and responded to. What is the most likely cause?

3

A network engineer is configuring a Cisco switch for 802.1X port-based authentication. The switch is configured with a RADIUS server for authentication. The engineer wants to allow devices that fail 802.1X authentication to still access a limited guest VLAN. The engineer configures 'authentication port-control auto' and 'authentication host-mode multi-host' on the interface. However, when a non-802.1X-capable device is connected, the port remains in the unauthorized state and does not fall into the guest VLAN. What is missing?

4

A company is deploying a new Cisco wireless LAN controller (WLC) and wants to use RADIUS for authenticating wireless users. The WLC is configured with the RADIUS server IP, shared secret, and authentication port 1812. However, users are unable to authenticate. The network engineer checks the RADIUS server logs and sees that the server is receiving authentication requests from the WLC but is responding with an 'Access-Reject' message. The WLC logs show 'RADIUS server not responding' for the same server. What is the most likely cause?

5

A network engineer is configuring a Cisco router to use TACACS+ for authentication and authorization of EXEC sessions. The engineer configures 'aaa new-model', 'aaa authentication login default group tacacs+ local', and 'aaa authorization exec default group tacacs+ local'. When a user tries to log in via SSH, the router prompts for username and password, but after entering correct credentials, the user is immediately disconnected. The TACACS+ server logs show that the authentication was successful. What is the most likely cause?

6

A network engineer is configuring a Cisco switch for 802.1X with RADIUS authentication. The switch is also configured with 'aaa authentication dot1x default group radius'. The engineer wants to use a single RADIUS server for both authentication and accounting. The RADIUS server is configured with the same shared secret for both services. The engineer configures 'radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key cisco123'. However, accounting records are not being sent to the server. The engineer verifies that the RADIUS server is reachable and that accounting is enabled on the server. What is the most likely cause?

7

A network engineer is configuring a Cisco router to use TACACS+ for command authorization. The engineer configures 'aaa authorization commands 15 default group tacacs+ local'. When a user with privilege level 15 tries to execute the 'reload' command, the router sends an authorization request to the TACACS+ server. The server responds with an 'Access-Accept' but the command is still denied. The engineer checks the router's configuration and sees that 'aaa accounting commands 15 default start-stop group tacacs+' is also configured. What could be the issue?

8

An organization uses a Cisco ISE as the RADIUS server for both wired and wireless authentication. The network engineer configures a Cisco switch with 'aaa authentication dot1x default group radius' and 'aaa authorization network default group radius'. When a user connects via 802.1X, authentication succeeds, but the user is placed in the wrong VLAN. The RADIUS server sends a 'Tunnel-Private-Group-ID' attribute with the correct VLAN name. The switch has the VLAN defined. What is the most likely cause?

9

A network engineer is configuring a Cisco router for AAA using a RADIUS server. The engineer wants to ensure that if the RADIUS server is unreachable, the router falls back to local authentication for console access. The engineer configures 'aaa authentication login default group radius local' and 'aaa authentication login CONSOLE local'. The console line is configured with 'login authentication CONSOLE'. However, when the RADIUS server is down, the engineer cannot log in via the console. What is the problem?

10

A network engineer runs the following command on Router R1: R1# show aaa sessions Total sessions since last reload: 5 Session Id: 1 Unique Id: 1 User Name: admin IP Address: 10.1.1.100 Idle Time: 0 Timeout: 0 Type: Login Method: RADIUS Session Id: 2 Unique Id: 2 User Name: jdoe IP Address: 10.1.1.101 Idle Time: 120 Timeout: 0 Type: Login Method: LOCAL Based on this output, what can be concluded?

11

A network administrator issues the following command on a Cisco switch: Switch# show aaa servers RADIUS: id 1, priority 1, host 192.168.1.10, auth-port 1812, acct-port 1813 State: current UP, duration 3600s, previous duration 0s Dead: total 0, retransmit 0 RADIUS: id 2, priority 2, host 192.168.1.20, auth-port 1812, acct-port 1813 State: current UP, duration 100s, previous duration 300s Dead: total 3, retransmit 2 Based on this output, what can be concluded?

12

A network engineer runs the following debug on a router: R1# debug aaa authentication *Mar 1 00:01:23.456: AAA/BIND(00000001): Bind iplist *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Pick method list 'default' *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Method=RADIUS *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): RADIUS server 10.1.1.10:1812, timeout 5, retransmit 2 *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Sent username 'admin', password **** *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Received PASS response *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Pass Based on this output, what can be concluded?

13

A network administrator checks the AAA configuration on a router: R1# show running-config | include aaa aaa new-model aaa authentication login default group radius local aaa authentication login console local aaa authorization exec default group tacacs+ local aaa accounting exec default start-stop group radius Based on this output, what can be concluded?

14

A network engineer issues the following command on a router: R1# show tacacs TACACS+ Server: 10.1.1.10/49 Socket opens: 5 Socket closes: 3 Socket aborts: 0 Total packets sent: 10 Total packets received: 9 Retransmissions: 1 Timeouts: 1 Current idle time: 30 seconds Based on this output, what can be concluded?

15

A network administrator runs the following command on a switch: Switch# show aaa method-list Method List Name: default Type: authentication Group: radius Group: local Method List Name: console Type: authentication Group: local Method List Name: default Type: authorization Group: tacacs+ Group: local Based on this output, what can be concluded?

16

A network engineer checks the AAA server status: R1# show aaa servers RADIUS: id 1, priority 1, host 10.1.1.10, auth-port 1812, acct-port 1813 State: current DEAD, duration 0s, previous duration 500s Dead: total 1, retransmit 3 RADIUS: id 2, priority 2, host 10.1.1.20, auth-port 1812, acct-port 1813 State: current UP, duration 200s, previous duration 0s Dead: total 0, retransmit 0 Based on this output, what can be concluded?

17

A network administrator runs the following debug on a router: R1# debug aaa authorization *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Processing author request for user 'jdoe' *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Method=TACACS+ *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): TACACS+ server 10.1.1.10:49, timeout 5 *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Sent author request *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Received PASS response *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Pass Based on this output, what can be concluded?

18

A network engineer checks AAA accounting on a router: R1# show aaa accounting Accounting method list 'default': Type: exec Start-stop: group radius Accounting records: Total started: 10 Total stopped: 8 Total failed: 2 Last record: user 'admin', start time 00:01:00 UTC Mar 1 2023 Based on this output, what can be concluded?

19

Examine the following AAA configuration snippet: aaa new-model aaa authentication login default local aaa authentication login CONSOLE local aaa authorization exec default local aaa accounting exec default start-stop group tacacs+ line con 0 login authentication CONSOLE line vty 0 4 login authentication default What is the effect of this configuration?

20

Given the following configuration: aaa new-model aaa authentication login default group radius local aaa authorization exec default group radius local aaa accounting exec default start-stop group radius radius-server host 192.168.1.100 key Cisco123 radius-server host 192.168.1.101 key Cisco123 Which statement is true about this configuration?

21

Consider this AAA configuration: aaa new-model aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local aaa accounting exec default stop-only group tacacs+ tacacs-server host 10.0.0.1 key SecretKey tacacs-server host 10.0.0.2 key SecretKey What is the effect of the accounting command?

22

Examine this configuration: aaa new-model aaa authentication login default local aaa authorization exec default local aaa accounting exec default start-stop group tacacs+ line vty 0 4 login authentication default privilege level 15 What is missing to ensure that VTY users are authenticated via TACACS+?

23

Given this configuration: aaa new-model aaa authentication login default group radius aaa authorization exec default group radius aaa accounting exec default start-stop group radius radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key radiuskey radius-server host 192.168.1.2 auth-port 1645 acct-port 1646 key radiuskey Which statement is true about the RADIUS server ports?

24

Consider this AAA configuration: aaa new-model aaa authentication login default local aaa authorization exec default local aaa accounting exec default start-stop group tacacs+ tacacs-server host 10.0.0.1 key SecretKey line con 0 login authentication default line vty 0 4 login authentication default What is the effect of this configuration?

25

What is the default port used by TACACS+ for communication?

26

Which statement correctly describes the difference between RADIUS and TACACS+?

27

What is the purpose of the 'aaa authorization exec default local' command?

28

Drag and drop the steps of the RADIUS authentication process into the correct order, from first to last.

29

Drag and drop the steps of the TACACS+ authentication process into the correct order, from first to last.

30

Drag and drop the steps of configuring AAA on a Cisco IOS device into the correct order, from first to last.

31

Drag and drop the steps of TACACS+ command authorization flow into the correct order, from first to last.

32

Drag and drop the steps of AAA method list fallback from RADIUS to local into the correct order, from first to last.

33

Drag and drop the steps of RADIUS CoA (Change of Authorization) message flow into the correct order, from first to last.

34

Drag and drop the steps of AAA accounting for command logging setup into the correct order, from first to last.

35

Drag and drop the steps of ISE RADIUS policy evaluation order into the correct order, from first to last.

36

Drag and drop the steps of TACACS+ command authorization flow into the correct order, from first to last.

37

Drag and drop the steps of AAA method list fallback from RADIUS to local into the correct order, from first to last.

38

Drag and drop the steps of RADIUS CoA (Change of Authorization) message flow into the correct order, from first to last.

39

Drag and drop the steps of AAA accounting for command logging setup into the correct order, from first to last.

40

Drag and drop the steps of ISE RADIUS policy evaluation order into the correct order, from first to last.

41

Drag and drop each protocol on the left to its matching characteristic on the right.

42

Drag and drop each AAA function on the left to its correct description on the right.

43

Drag and drop each RADIUS attribute on the left to its correct attribute number on the right.

44

Drag and drop each AAA method list on the left to its correct fallback order on the right.

45

Drag and drop each TACACS+ packet type on the left to its correct function on the right.

46

Drag and drop each protocol on the left to its matching characteristic on the right.

47

Drag and drop each AAA function on the left to its matching description on the right.

48

Drag and drop each RADIUS attribute name on the left to its matching attribute number on the right.

49

Drag and drop each AAA method list type on the left to its correct fallback order (from first to last) on the right.

50

Drag and drop each TACACS+ packet type on the left to its matching function on the right.

51

Which two statements about AAA accounting are true? (Choose two.)

52

Which three statements about RADIUS and TACACS+ are true? (Choose three.)

53

Which two statements about local AAA and fallback methods are true? (Choose two.)

54

Which three statements about RADIUS server configuration and operation are true? (Choose three.)

55

Which two statements about AAA authentication methods are true? (Choose two.)

56

Which three statements about RADIUS and TACACS+ are true? (Choose three.)

57

Which two statements about AAA authorization and accounting are true? (Choose two.)

58

Which three statements about configuring AAA on Cisco IOS devices are true? (Choose three.)

Practice all 58 AAA, RADIUS, and TACACS+ questions

Other 350-401 exam domains

ArchitectureEnterprise Network DesignSD-Access ArchitectureSD-WAN ArchitectureQoS ArchitectureVirtualizationNetwork Function VirtualizationVirtual Machines and HypervisorsVRF and Path IsolationInfrastructureOSPFBGPEIGRPVLANs and TrunkingSpanning Tree ProtocolEtherChannelWireless InfrastructureMPLSWAN TechnologiesNAT and DHCPIP MulticastQoSNetwork AssuranceSNMP and SyslogNetFlow and TelemetrySPAN and RSPANIP SLASecurityACLs and CoPP802.1X and TrustSecVPN TechnologiesInfrastructure SecurityAutomationPython for Network AutomationAnsible AutomationREST APIs and Data ModelsCisco DNA CenterModel-Driven Telemetry

Frequently asked questions

What does the AAA, RADIUS, and TACACS+ domain cover on the 350-401 exam?

The AAA, RADIUS, and TACACS+ domain covers the key concepts tested in this area of the 350-401 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-401 domains — no account required.

How many AAA, RADIUS, and TACACS+ questions are in the 350-401 question bank?

The Courseiva 350-401 question bank contains 58 questions in the AAA, RADIUS, and TACACS+ domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice AAA, RADIUS, and TACACS+ for 350-401?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only AAA, RADIUS, and TACACS+ questions for 350-401?

Yes — the session launcher on this page draws questions exclusively from the AAA, RADIUS, and TACACS+ domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your 350-401 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

200-301350-701SY0-701