Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›350-401›Objectives›AAA, RADIUS, and TACACS+
Objective 501.0

AAA, RADIUS, and TACACS+

350-401 Practice Questions

Full Practice Test →All Objectives

350-401 AAA, RADIUS, and TACACS+ — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Study the full AAA explanation →

A network engineer is configuring AAA on a Cisco ISR router to authenticate administrative users via a RADIUS server. The engineer configures the router with the command 'aaa new-model' and then 'aaa authentication login default group radius local'. When the engineer attempts to SSH to the router using a username that exists only on the RADIUS server, the authentication fails. The RADIUS server is reachable and the shared secret is correct. What is the most likely cause of the failure?

Question 3hardmultiple choice
Read the full wireless explanation →

An enterprise network uses TACACS+ for device administration and RADIUS for network access (VPN and wireless). The TACACS+ server is configured to authorize commands. A network engineer notices that after a recent upgrade of the TACACS+ server software, some commands that were previously authorized are now being denied. The engineer checks the router configuration and sees 'aaa authorization commands 15 default group tacacs+'. The TACACS+ server logs show that the authorization requests are being sent and responded to. What is the most likely cause?

Question 4mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is configuring a Cisco switch for 802.1X port-based authentication. The switch is configured with a RADIUS server for authentication. The engineer wants to allow devices that fail 802.1X authentication to still access a limited guest VLAN. The engineer configures 'authentication port-control auto' and 'authentication host-mode multi-host' on the interface. However, when a non-802.1X-capable device is connected, the port remains in the unauthorized state and does not fall into the guest VLAN. What is missing?

Question 5hardmultiple choice
Read the full wireless explanation →

A company is deploying a new Cisco wireless LAN controller (WLC) and wants to use RADIUS for authenticating wireless users. The WLC is configured with the RADIUS server IP, shared secret, and authentication port 1812. However, users are unable to authenticate. The network engineer checks the RADIUS server logs and sees that the server is receiving authentication requests from the WLC but is responding with an 'Access-Reject' message. The WLC logs show 'RADIUS server not responding' for the same server. What is the most likely cause?

Question 6hardmultiple choice
Study the full AAA explanation →

A network engineer is configuring a Cisco router to use TACACS+ for authentication and authorization of EXEC sessions. The engineer configures 'aaa new-model', 'aaa authentication login default group tacacs+ local', and 'aaa authorization exec default group tacacs+ local'. When a user tries to log in via SSH, the router prompts for username and password, but after entering correct credentials, the user is immediately disconnected. The TACACS+ server logs show that the authentication was successful. What is the most likely cause?

Question 7mediummultiple choice
Study the full AAA explanation →

A network engineer is configuring a Cisco switch for 802.1X with RADIUS authentication. The switch is also configured with 'aaa authentication dot1x default group radius'. The engineer wants to use a single RADIUS server for both authentication and accounting. The RADIUS server is configured with the same shared secret for both services. The engineer configures 'radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key cisco123'. However, accounting records are not being sent to the server. The engineer verifies that the RADIUS server is reachable and that accounting is enabled on the server. What is the most likely cause?

Question 8hardmultiple choice
Study the full AAA explanation →

A network engineer is configuring a Cisco router to use TACACS+ for command authorization. The engineer configures 'aaa authorization commands 15 default group tacacs+ local'. When a user with privilege level 15 tries to execute the 'reload' command, the router sends an authorization request to the TACACS+ server. The server responds with an 'Access-Accept' but the command is still denied. The engineer checks the router's configuration and sees that 'aaa accounting commands 15 default start-stop group tacacs+' is also configured. What could be the issue?

Question 9mediummultiple choice
Open the full VLAN trunking answer →

An organization uses a Cisco ISE as the RADIUS server for both wired and wireless authentication. The network engineer configures a Cisco switch with 'aaa authentication dot1x default group radius' and 'aaa authorization network default group radius'. When a user connects via 802.1X, authentication succeeds, but the user is placed in the wrong VLAN. The RADIUS server sends a 'Tunnel-Private-Group-ID' attribute with the correct VLAN name. The switch has the VLAN defined. What is the most likely cause?

Question 10easymultiple choice
Study the full AAA explanation →

A network engineer is configuring a Cisco router for AAA using a RADIUS server. The engineer wants to ensure that if the RADIUS server is unreachable, the router falls back to local authentication for console access. The engineer configures 'aaa authentication login default group radius local' and 'aaa authentication login CONSOLE local'. The console line is configured with 'login authentication CONSOLE'. However, when the RADIUS server is down, the engineer cannot log in via the console. What is the problem?

Question 11mediummultiple choice
Study the full AAA explanation →

A network engineer runs the following command on Router R1:

R1# show aaa sessions

Total sessions since last reload: 5 Session Id: 1 Unique Id: 1 User Name: admin

IP Address: 10.1.1.100

Idle Time: 0 Timeout: 0 Type: Login Method: RADIUS Session Id: 2 Unique Id: 2 User Name: jdoe

IP Address: 10.1.1.101

Idle Time: 120 Timeout: 0 Type: Login Method: LOCAL

Based on this output, what can be concluded?

Question 12mediummultiple choice
Study the full AAA explanation →

A network administrator issues the following command on a Cisco switch:

Switch# show aaa servers

RADIUS: id 1, priority 1, host 192.168.1.10, auth-port 1812, acct-port 1813 State: current UP, duration 3600s, previous duration 0s Dead: total 0, retransmit 0 RADIUS: id 2, priority 2, host 192.168.1.20, auth-port 1812, acct-port 1813 State: current UP, duration 100s, previous duration 300s Dead: total 3, retransmit 2

Based on this output, what can be concluded?

Question 13hardmultiple choice
Study the full AAA explanation →

A network engineer runs the following debug on a router:

R1# debug aaa authentication

*Mar  1 00:01:23.456: AAA/BIND(00000001): Bind iplist
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Pick method list 'default'
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Method=RADIUS
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): RADIUS server 10.1.1.10:1812, timeout 5, retransmit 2
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Sent username 'admin', password ****
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Received PASS response
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Pass

Based on this output, what can be concluded?

Question 14mediummultiple choice
Study the full AAA explanation →

A network administrator checks the AAA configuration on a router:

R1# show running-config | include aaa

aaa new-model
aaa authentication login default group radius local
aaa authentication login console local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group radius

Based on this output, what can be concluded?

Question 15hardmultiple choice
Study the full AAA explanation →

A network engineer issues the following command on a router:

R1# show tacacs

TACACS+ Server: 10.1.1.10/49 Socket opens: 5 Socket closes: 3 Socket aborts: 0 Total packets sent: 10 Total packets received: 9 Retransmissions: 1 Timeouts: 1 Current idle time: 30 seconds

Based on this output, what can be concluded?

Question 16mediummultiple choice
Study the full AAA explanation →

A network administrator runs the following command on a switch:

Switch# show aaa method-list

Method List Name: default Type: authentication Group: radius Group: local Method List Name: console Type: authentication Group: local Method List Name: default Type: authorization Group: tacacs+ Group: local

Based on this output, what can be concluded?

Question 17hardmultiple choice
Study the full AAA explanation →

A network engineer checks the AAA server status:

R1# show aaa servers

RADIUS: id 1, priority 1, host 10.1.1.10, auth-port 1812, acct-port 1813 State: current DEAD, duration 0s, previous duration 500s Dead: total 1, retransmit 3 RADIUS: id 2, priority 2, host 10.1.1.20, auth-port 1812, acct-port 1813 State: current UP, duration 200s, previous duration 0s Dead: total 0, retransmit 0

Based on this output, what can be concluded?

Question 18hardmultiple choice
Study the full AAA explanation →

A network administrator runs the following debug on a router:

R1# debug aaa authorization

*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Processing author request for user 'jdoe'
*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Method=TACACS+
*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): TACACS+ server 10.1.1.10:49, timeout 5
*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Sent author request
*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Received PASS response
*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Pass

Based on this output, what can be concluded?

Question 19mediummultiple choice
Study the full AAA explanation →

A network engineer checks AAA accounting on a router:

R1# show aaa accounting

Accounting method list 'default': Type: exec Start-stop: group radius Accounting records: Total started: 10 Total stopped: 8 Total failed: 2 Last record: user 'admin', start time 00:01:00 UTC Mar 1 2023

Based on this output, what can be concluded?

Question 20mediummultiple choice
Study the full AAA explanation →

Examine the following AAA configuration snippet:

aaa new-model
aaa authentication login default local
aaa authentication login CONSOLE local
aaa authorization exec default local
aaa accounting exec default start-stop group tacacs+
line con 0

login authentication CONSOLE

line vty 0 4

login authentication default

What is the effect of this configuration?

Question 21mediummultiple choice
Study the full AAA explanation →

Given the following configuration:

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius

radius-server host 192.168.1.100 key Cisco123 radius-server host 192.168.1.101 key Cisco123

Which statement is true about this configuration?

Question 22mediummultiple choice
Study the full AAA explanation →

Consider this AAA configuration:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default stop-only group tacacs+

tacacs-server host 10.0.0.1 key SecretKey tacacs-server host 10.0.0.2 key SecretKey

What is the effect of the accounting command?

Question 23mediummultiple choice
Study the full AAA explanation →

Examine this configuration:

aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa accounting exec default start-stop group tacacs+
line vty 0 4

login authentication default privilege level 15

What is missing to ensure that VTY users are authenticated via TACACS+?

Question 24mediummultiple choice
Study the full AAA explanation →

Given this configuration:

aaa new-model
aaa authentication login default group radius
aaa authorization exec default group radius
aaa accounting exec default start-stop group radius

radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key radiuskey radius-server host 192.168.1.2 auth-port 1645 acct-port 1646 key radiuskey

Which statement is true about the RADIUS server ports?

Question 25mediummultiple choice
Study the full AAA explanation →

Consider this AAA configuration:

aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa accounting exec default start-stop group tacacs+

tacacs-server host 10.0.0.1 key SecretKey

line con 0

login authentication default

line vty 0 4

login authentication default

What is the effect of this configuration?

Question 26easymultiple choice
Study the full AAA explanation →

What is the default port used by TACACS+ for communication?

Question 27mediummultiple choice
Study the full AAA explanation →

Which statement correctly describes the difference between RADIUS and TACACS+?

Question 28easymultiple choice
Study the full AAA explanation →

What is the purpose of the 'aaa authorization exec default local' command?

Question 29mediumdrag order
Study the full AAA explanation →

Drag and drop the steps of the RADIUS authentication process into the correct order, from first to last.

Question 30mediumdrag order
Study the full AAA explanation →

Drag and drop the steps of the TACACS+ authentication process into the correct order, from first to last.

Question 31mediumdrag order
Study the full AAA explanation →

Drag and drop the steps of configuring AAA on a Cisco IOS device into the correct order, from first to last.

More AAA, RADIUS, and TACACS+ questions available in the full practice test.

Continue Practising →
←

Previous objective

Security

Next objective

ACLs and CoPP

→

All 350-401 Objectives

  • 100.Architecture15%
  • 101.Enterprise Network Design
  • 102.SD-Access Architecture
  • 103.SD-WAN Architecture
  • 104.QoS Architecture
  • 200.Virtualization10%
  • 201.Network Function Virtualization
  • 202.Virtual Machines and Hypervisors
  • 203.VRF and Path Isolation
  • 300.Infrastructure30%
  • 301.OSPF
  • 302.BGP
  • 303.EIGRP
  • 304.VLANs and Trunking
  • 305.Spanning Tree Protocol
  • 306.EtherChannel
  • 307.Wireless Infrastructure
  • 308.MPLS
  • 309.WAN Technologies
  • 310.NAT and DHCP
  • 311.IP Multicast
  • 312.QoS
  • 400.Network Assurance10%
  • 401.SNMP and Syslog
  • 402.NetFlow and Telemetry
  • 403.SPAN and RSPAN
  • 404.IP SLA
  • 500.Security20%
  • 501.AAA, RADIUS, and TACACS+
  • 502.ACLs and CoPP
  • 503.802.1X and TrustSec
  • 504.VPN Technologies
  • 505.Infrastructure Security
  • 600.Automation15%
  • 601.Python for Network Automation
  • 602.Ansible Automation
  • 603.REST APIs and Data Models
  • 604.Cisco DNA Center
  • 605.Model-Driven Telemetry