Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›350-401›Objectives›802.1X and TrustSec
Objective 503.0

802.1X and TrustSec

350-401 Practice Questions

Full Practice Test →All Objectives

350-401 802.1X and TrustSec — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Study the full AAA explanation →

A network engineer is deploying 802.1X on a Cisco switch for a mixed environment of Windows laptops and IP phones. The engineer configures the switchport with 'authentication port-control auto' and 'dot1x pae authenticator'. After connecting a Windows laptop, the switch logs show 'Authentication failed' for the laptop. The engineer verifies that the RADIUS server is reachable and the laptop's supplicant is configured correctly. What is the most likely cause of the authentication failure?

Question 3hardmultiple choice
Study the full AAA explanation →

An enterprise is implementing Cisco TrustSec (CTS) to enforce role-based access control. The network engineer configures the switch with 'cts role-based enforcement' and 'cts manual' on an interface connecting to a trusted Cisco switch. The engineer also configures Security Group Tags (SGTs) on the RADIUS server. However, traffic between two hosts in different SGTs is not being filtered as expected. The engineer checks 'show cts role-based counters' and sees no drops. What is the most likely reason for the lack of enforcement?

Question 4mediummultiple choice
Study the full AAA explanation →

A network engineer is configuring 802.1X on a Cisco Catalyst 9300 switch for a wired network. The engineer wants to allow devices that do not support 802.1X (e.g., printers) to still access the network using MAB (MAC Authentication Bypass). The engineer configures the interface with 'authentication port-control auto', 'dot1x pae authenticator', and 'mab'. However, after connecting a printer, the switch logs show 'MAB failed' repeatedly. The printer's MAC address is in the RADIUS server database. What is the most likely cause?

Question 5hardmultiple choice
Study the full ACL explanation →

A network engineer is deploying Cisco TrustSec (CTS) with Security Group Access Control Lists (SGACLs) on a campus network. The engineer configures the switch with 'cts role-based enforcement' and assigns SGTs to users via 802.1X. The engineer tests connectivity between a user in SGT 10 and a server in SGT 20. The SGACL permits traffic from SGT 10 to SGT 20, but the user cannot reach the server. The engineer checks 'show cts role-based sgt map' and sees that the user's SGT is 0. What is the most likely cause?

Question 6mediummultiple choice
Open the full VLAN trunking answer →

An organization is implementing 802.1X for wireless users using Cisco ISE as the RADIUS server. The network engineer configures the wireless LAN controller (WLC) with 802.1X authentication. Users report that they can connect to the SSID but cannot access any network resources. The engineer checks the WLC and sees that users are authenticated and assigned to VLAN 100. The engineer also checks the switchport connecting the WLC and sees it is a trunk. What is the most likely issue?

Question 7mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is configuring 802.1X on a Cisco switch for a voice VLAN deployment. The switchport is connected to an IP phone, which then connects to a PC. The engineer configures the interface with 'authentication port-control auto', 'dot1x pae authenticator', and 'switchport voice vlan 10'. The PC authenticates successfully, but the IP phone does not get an IP address from the voice VLAN. The engineer verifies that the phone is configured for 802.1X and the RADIUS server is correct. What is the most likely cause?

Question 8hardmultiple choice
Full question →

A network engineer is implementing Cisco TrustSec (CTS) with Security Group Tags (SGTs) using SXP (SGT Exchange Protocol). The engineer configures the switch as an SXP speaker and the Cisco ISE as an SXP listener. The engineer verifies that SXP peers are established. However, when the engineer checks 'show cts role-based sgt map', the SGT mappings for users are not present. What is the most likely cause?

Question 9mediummultiple choice
Study the full ACL explanation →

A network engineer is configuring 802.1X on a Cisco switch for a guest network. The engineer wants to allow guests to access the internet after authentication but restrict access to internal resources. The engineer configures the switch with 'authentication port-control auto' and a downloadable ACL (dACL) from the RADIUS server. After a guest authenticates, the engineer tests connectivity and finds that the guest can access internal servers. What is the most likely cause?

Question 10hardmultiple choice
Open the full VLAN trunking answer →

A network engineer is deploying 802.1X with Cisco ISE for a wired network. The engineer wants to use CoA (Change of Authorization) to dynamically change the VLAN of a user after authentication. The engineer configures the switch with 'aaa server radius dynamic-author' and the ISE with CoA settings. When the engineer tests CoA from ISE, the switch logs show 'CoA request received' but the VLAN does not change. What is the most likely cause?

Question 11mediummultiple choice
Full question →

A network engineer runs the following command on switch SW1:

SW1# show authentication sessions interface GigabitEthernet1/0/1

Interface: GigabitEthernet1/0/1

MAC Address: 0011.2233.4455

IP Address: 192.168.1.100

Status: Authz Success Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Common Session ID: 0A1B2C3D4E5F6G7H8I9J Acct Session ID: 0x0000000A Handle: 0x00000001

Current Method List: mab Method: MAB State: Authz Success

Based on this output, what can be concluded?

Question 12mediummultiple choice
Full question →

A network engineer runs the following command on switch SW2:

SW2# show cts role-based sgt-map

Active IPv4-SGT Mapping Table:

IP Address       SGT
192.168.1.10     10
192.168.1.20     20
192.168.1.30     30

Total number of entries: 3

Based on this output, what can be concluded?

Question 13mediummultiple choice
Full question →

A network engineer runs the following command on switch SW3:

SW3# show cts role-based permissions

IPv4 Role-based permissions:

Source Group Dest Group Action 10 20 PERMIT 10 30 DENY 20 30 PERMIT

Based on this output, what can be concluded?

Question 14hardmultiple choice
Full question →

A network engineer runs the following command on switch SW4:

SW4# show cts environment-data

CTS Environment Data:

Device ID: SW4.cisco.com Device Name: SW4 CTS Capabilities: SGT, SXP, CTSD, CTSA SGT: 100 SXP Node: Enabled SXP Connection: 10.1.1.1:64999

Based on this output, what can be concluded?

Question 15mediummultiple choice
Full question →

A network engineer runs the following command on switch SW5:

SW5# show cts sxp connections

SXP Connections:

Peer IP Source IP Conn Status Duration

10.1.1.1        10.1.1.2        Up              2d3h
10.1.1.3        10.1.1.2        Down            0d0h

Based on this output, what can be concluded?

Question 16hardmultiple choice
Full question →

A network engineer runs the following command on switch SW6:

SW6# show cts role-based counters

Role-based counters:

Source Group Dest Group Packets Sent Bytes Sent Packets Denied Bytes Denied 10 20 1500 120000 0 0 10 30 0 0 500 40000

Based on this output, what can be concluded?

Question 17mediummultiple choice
Full question →

A network engineer runs the following command on switch SW7:

SW7# show authentication registrations

Authentication Method Registrations:

Method Priority Type dot1x 10 Interface mab 20 Interface webauth 30 Interface

Based on this output, what can be concluded?

Question 18hardmultiple choice
Full question →

A network engineer runs the following command on switch SW8:

SW8# show cts role-based sgt-map 192.168.1.10

IP Address: 192.168.1.10

SGT: 10 Source: SXP

Based on this output, what can be concluded?

Question 19mediummultiple choice
Full question →

A network engineer runs the following command on switch SW9:

SW9# show cts role-based policy

Role-based policy:

Source Group Dest Group Action 10 20 PERMIT 10 30 DENY 20 30 PERMIT

Based on this output, what can be concluded?

Question 20mediummultiple choice
Full question →

Consider the following configuration on a Cisco IOS-XE switch:

interface GigabitEthernet1/0/1
 switchport mode access

authentication port-control auto dot1x pae authenticator dot1x timeout tx-period 5

spanning-tree portfast

What is the effect of this configuration?

Question 21mediummultiple choice
Full question →

Examine the following configuration snippet:

interface GigabitEthernet1/0/2
 switchport mode access

authentication port-control auto mab dot1x pae authenticator dot1x timeout tx-period 10

Which statement about this configuration is true?

Question 22mediummultiple choice
Full question →

Consider the following TrustSec configuration on a Cisco switch:

cts role-based enforcement

interface GigabitEthernet1/0/3

cts manual sap pmk 0123456789ABCDEF mode-list both

What is the purpose of this configuration?

Question 23mediummultiple choice
Study the full AAA explanation →

Examine the following configuration:

aaa new-model
aaa authentication dot1x default group radius

dot1x system-auth-control

interface GigabitEthernet1/0/4
 switchport mode access

authentication port-control auto dot1x pae authenticator dot1x timeout quiet-period 30

What is the effect of the 'dot1x timeout quiet-period 30' command?

Question 24mediummultiple choice
Full question →

Consider this configuration for TrustSec on a Cisco switch:

cts role-based enforcement

interface GigabitEthernet1/0/5

cts manual sap pmk AABBCCDDEEFF00112233445566778899 mode-list both propagate sgt

What is the purpose of the 'propagate sgt' command under the interface?

Question 25mediummultiple choice
Full question →

Examine the following configuration on a Cisco IOS-XE switch:

interface GigabitEthernet1/0/6
 switchport mode access

authentication port-control auto dot1x pae authenticator dot1x timeout tx-period 3 dot1x max-req 3 dot1x timeout supp-timeout 10

What is the total time the switch will wait for a supplicant to respond before failing authentication?

Question 26easymultiple choice
Full question →

What is the default quiet-period timer value in Cisco IOS 802.1X configuration?

Question 27mediummultiple choice
Full question →

In Cisco TrustSec, which component is responsible for assigning a Security Group Tag (SGT) to a user or device based on authentication?

Question 28easymultiple choice
Full question →

What is the default tx-period timer value in Cisco IOS 802.1X configuration?

Question 29mediumdrag order
Full question →

Drag and drop the steps of the 802.1X EAP-TLS authentication exchange into the correct order, from first to last.

Question 30mediumdrag order
Full question →

Drag and drop the steps of TrustSec SGT classification and enforcement into the correct order, from first to last.

Question 31mediumdrag order
Full question →

Drag and drop the steps of 802.1X port authentication with MAB fallback into the correct order, from first to last.

More 802.1X and TrustSec questions available in the full practice test.

Continue Practising →
←

Previous objective

ACLs and CoPP

Next objective

VPN Technologies

→

All 350-401 Objectives

  • 100.Architecture15%
  • 101.Enterprise Network Design
  • 102.SD-Access Architecture
  • 103.SD-WAN Architecture
  • 104.QoS Architecture
  • 200.Virtualization10%
  • 201.Network Function Virtualization
  • 202.Virtual Machines and Hypervisors
  • 203.VRF and Path Isolation
  • 300.Infrastructure30%
  • 301.OSPF
  • 302.BGP
  • 303.EIGRP
  • 304.VLANs and Trunking
  • 305.Spanning Tree Protocol
  • 306.EtherChannel
  • 307.Wireless Infrastructure
  • 308.MPLS
  • 309.WAN Technologies
  • 310.NAT and DHCP
  • 311.IP Multicast
  • 312.QoS
  • 400.Network Assurance10%
  • 401.SNMP and Syslog
  • 402.NetFlow and Telemetry
  • 403.SPAN and RSPAN
  • 404.IP SLA
  • 500.Security20%
  • 501.AAA, RADIUS, and TACACS+
  • 502.ACLs and CoPP
  • 503.802.1X and TrustSec
  • 504.VPN Technologies
  • 505.Infrastructure Security
  • 600.Automation15%
  • 601.Python for Network Automation
  • 602.Ansible Automation
  • 603.REST APIs and Data Models
  • 604.Cisco DNA Center
  • 605.Model-Driven Telemetry