Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← AAA, RADIUS, and TACACS+ practice sets

CCNP AAA, RADIUS, and TACACS+ • Complete Question Bank

CCNP AAA, RADIUS, and TACACS+ — All Questions With Answers

Complete CCNP AAA, RADIUS, and TACACS+ question bank — all 0 questions with answers and detailed explanations.

58
Questions
Free
No signup
Certifications/CCNP/Practice Test/AAA, RADIUS, and TACACS+/All Questions
Question 1mediummultiple choice
Study the full AAA explanation →

A network engineer is configuring AAA on a Cisco ISR router to authenticate administrative users via a RADIUS server. The engineer configures the router with the command 'aaa new-model' and then 'aaa authentication login default group radius local'. When the engineer attempts to SSH to the router using a username that exists only on the RADIUS server, the authentication fails. The RADIUS server is reachable and the shared secret is correct. What is the most likely cause of the failure?

Question 2hardmultiple choice
Read the full wireless explanation →

An enterprise network uses TACACS+ for device administration and RADIUS for network access (VPN and wireless). The TACACS+ server is configured to authorize commands. A network engineer notices that after a recent upgrade of the TACACS+ server software, some commands that were previously authorized are now being denied. The engineer checks the router configuration and sees 'aaa authorization commands 15 default group tacacs+'. The TACACS+ server logs show that the authorization requests are being sent and responded to. What is the most likely cause?

Question 3mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is configuring a Cisco switch for 802.1X port-based authentication. The switch is configured with a RADIUS server for authentication. The engineer wants to allow devices that fail 802.1X authentication to still access a limited guest VLAN. The engineer configures 'authentication port-control auto' and 'authentication host-mode multi-host' on the interface. However, when a non-802.1X-capable device is connected, the port remains in the unauthorized state and does not fall into the guest VLAN. What is missing?

Question 4hardmultiple choice
Read the full wireless explanation →

A company is deploying a new Cisco wireless LAN controller (WLC) and wants to use RADIUS for authenticating wireless users. The WLC is configured with the RADIUS server IP, shared secret, and authentication port 1812. However, users are unable to authenticate. The network engineer checks the RADIUS server logs and sees that the server is receiving authentication requests from the WLC but is responding with an 'Access-Reject' message. The WLC logs show 'RADIUS server not responding' for the same server. What is the most likely cause?

Question 5hardmultiple choice
Study the full AAA explanation →

A network engineer is configuring a Cisco router to use TACACS+ for authentication and authorization of EXEC sessions. The engineer configures 'aaa new-model', 'aaa authentication login default group tacacs+ local', and 'aaa authorization exec default group tacacs+ local'. When a user tries to log in via SSH, the router prompts for username and password, but after entering correct credentials, the user is immediately disconnected. The TACACS+ server logs show that the authentication was successful. What is the most likely cause?

Question 6mediummultiple choice
Study the full AAA explanation →

A network engineer is configuring a Cisco switch for 802.1X with RADIUS authentication. The switch is also configured with 'aaa authentication dot1x default group radius'. The engineer wants to use a single RADIUS server for both authentication and accounting. The RADIUS server is configured with the same shared secret for both services. The engineer configures 'radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key cisco123'. However, accounting records are not being sent to the server. The engineer verifies that the RADIUS server is reachable and that accounting is enabled on the server. What is the most likely cause?

Question 7hardmultiple choice
Study the full AAA explanation →

A network engineer is configuring a Cisco router to use TACACS+ for command authorization. The engineer configures 'aaa authorization commands 15 default group tacacs+ local'. When a user with privilege level 15 tries to execute the 'reload' command, the router sends an authorization request to the TACACS+ server. The server responds with an 'Access-Accept' but the command is still denied. The engineer checks the router's configuration and sees that 'aaa accounting commands 15 default start-stop group tacacs+' is also configured. What could be the issue?

Question 8mediummultiple choice
Open the full VLAN trunking answer →

An organization uses a Cisco ISE as the RADIUS server for both wired and wireless authentication. The network engineer configures a Cisco switch with 'aaa authentication dot1x default group radius' and 'aaa authorization network default group radius'. When a user connects via 802.1X, authentication succeeds, but the user is placed in the wrong VLAN. The RADIUS server sends a 'Tunnel-Private-Group-ID' attribute with the correct VLAN name. The switch has the VLAN defined. What is the most likely cause?

Question 9easymultiple choice
Study the full AAA explanation →

A network engineer is configuring a Cisco router for AAA using a RADIUS server. The engineer wants to ensure that if the RADIUS server is unreachable, the router falls back to local authentication for console access. The engineer configures 'aaa authentication login default group radius local' and 'aaa authentication login CONSOLE local'. The console line is configured with 'login authentication CONSOLE'. However, when the RADIUS server is down, the engineer cannot log in via the console. What is the problem?

Question 10mediummultiple choice
Study the full AAA explanation →

A network engineer runs the following command on Router R1:

R1# show aaa sessions

Total sessions since last reload: 5 Session Id: 1 Unique Id: 1 User Name: admin

IP Address: 10.1.1.100

Idle Time: 0 Timeout: 0 Type: Login Method: RADIUS Session Id: 2 Unique Id: 2 User Name: jdoe

IP Address: 10.1.1.101

Idle Time: 120 Timeout: 0 Type: Login Method: LOCAL

Based on this output, what can be concluded?

Question 11mediummultiple choice
Study the full AAA explanation →

A network administrator issues the following command on a Cisco switch:

Switch# show aaa servers

RADIUS: id 1, priority 1, host 192.168.1.10, auth-port 1812, acct-port 1813 State: current UP, duration 3600s, previous duration 0s Dead: total 0, retransmit 0 RADIUS: id 2, priority 2, host 192.168.1.20, auth-port 1812, acct-port 1813 State: current UP, duration 100s, previous duration 300s Dead: total 3, retransmit 2

Based on this output, what can be concluded?

Question 12hardmultiple choice
Study the full AAA explanation →

A network engineer runs the following debug on a router:

R1# debug aaa authentication

*Mar  1 00:01:23.456: AAA/BIND(00000001): Bind iplist
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Pick method list 'default'
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Method=RADIUS
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): RADIUS server 10.1.1.10:1812, timeout 5, retransmit 2
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Sent username 'admin', password ****
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Received PASS response
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Pass

Based on this output, what can be concluded?

Question 13mediummultiple choice
Study the full AAA explanation →

A network administrator checks the AAA configuration on a router:

R1# show running-config | include aaa

aaa new-model
aaa authentication login default group radius local
aaa authentication login console local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group radius

Based on this output, what can be concluded?

Question 14hardmultiple choice
Study the full AAA explanation →

A network engineer issues the following command on a router:

R1# show tacacs

TACACS+ Server: 10.1.1.10/49 Socket opens: 5 Socket closes: 3 Socket aborts: 0 Total packets sent: 10 Total packets received: 9 Retransmissions: 1 Timeouts: 1 Current idle time: 30 seconds

Based on this output, what can be concluded?

Question 15mediummultiple choice
Study the full AAA explanation →

A network administrator runs the following command on a switch:

Switch# show aaa method-list

Method List Name: default Type: authentication Group: radius Group: local Method List Name: console Type: authentication Group: local Method List Name: default Type: authorization Group: tacacs+ Group: local

Based on this output, what can be concluded?

Question 16hardmultiple choice
Study the full AAA explanation →

A network engineer checks the AAA server status:

R1# show aaa servers

RADIUS: id 1, priority 1, host 10.1.1.10, auth-port 1812, acct-port 1813 State: current DEAD, duration 0s, previous duration 500s Dead: total 1, retransmit 3 RADIUS: id 2, priority 2, host 10.1.1.20, auth-port 1812, acct-port 1813 State: current UP, duration 200s, previous duration 0s Dead: total 0, retransmit 0

Based on this output, what can be concluded?

Question 17hardmultiple choice
Study the full AAA explanation →

A network administrator runs the following debug on a router:

R1# debug aaa authorization

*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Processing author request for user 'jdoe'
*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Method=TACACS+
*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): TACACS+ server 10.1.1.10:49, timeout 5
*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Sent author request
*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Received PASS response
*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Pass

Based on this output, what can be concluded?

Question 18mediummultiple choice
Study the full AAA explanation →

A network engineer checks AAA accounting on a router:

R1# show aaa accounting

Accounting method list 'default': Type: exec Start-stop: group radius Accounting records: Total started: 10 Total stopped: 8 Total failed: 2 Last record: user 'admin', start time 00:01:00 UTC Mar 1 2023

Based on this output, what can be concluded?

Question 19mediummultiple choice
Study the full AAA explanation →

Examine the following AAA configuration snippet:

aaa new-model
aaa authentication login default local
aaa authentication login CONSOLE local
aaa authorization exec default local
aaa accounting exec default start-stop group tacacs+
line con 0

login authentication CONSOLE

line vty 0 4

login authentication default

What is the effect of this configuration?

Question 20mediummultiple choice
Study the full AAA explanation →

Given the following configuration:

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius

radius-server host 192.168.1.100 key Cisco123 radius-server host 192.168.1.101 key Cisco123

Which statement is true about this configuration?

Question 21mediummultiple choice
Study the full AAA explanation →

Consider this AAA configuration:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default stop-only group tacacs+

tacacs-server host 10.0.0.1 key SecretKey tacacs-server host 10.0.0.2 key SecretKey

What is the effect of the accounting command?

Question 22mediummultiple choice
Study the full AAA explanation →

Examine this configuration:

aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa accounting exec default start-stop group tacacs+
line vty 0 4

login authentication default privilege level 15

What is missing to ensure that VTY users are authenticated via TACACS+?

Question 23mediummultiple choice
Study the full AAA explanation →

Given this configuration:

aaa new-model
aaa authentication login default group radius
aaa authorization exec default group radius
aaa accounting exec default start-stop group radius

radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key radiuskey radius-server host 192.168.1.2 auth-port 1645 acct-port 1646 key radiuskey

Which statement is true about the RADIUS server ports?

Question 24mediummultiple choice
Study the full AAA explanation →

Consider this AAA configuration:

aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa accounting exec default start-stop group tacacs+

tacacs-server host 10.0.0.1 key SecretKey

line con 0

login authentication default

line vty 0 4

login authentication default

What is the effect of this configuration?

Question 25easymultiple choice
Study the full AAA explanation →

What is the default port used by TACACS+ for communication?

Question 26mediummultiple choice
Study the full AAA explanation →

Which statement correctly describes the difference between RADIUS and TACACS+?

Question 27easymultiple choice
Study the full AAA explanation →

What is the purpose of the 'aaa authorization exec default local' command?

Question 28mediumdrag order
Study the full AAA explanation →

Drag and drop the steps of the RADIUS authentication process into the correct order, from first to last.

Question 29mediumdrag order
Study the full AAA explanation →

Drag and drop the steps of the TACACS+ authentication process into the correct order, from first to last.

Question 30mediumdrag order
Study the full AAA explanation →

Drag and drop the steps of configuring AAA on a Cisco IOS device into the correct order, from first to last.

Question 31mediumdrag order
Study the full AAA explanation →

Drag and drop the steps of TACACS+ command authorization flow into the correct order, from first to last.

Question 32mediumdrag order
Study the full AAA explanation →

Drag and drop the steps of AAA method list fallback from RADIUS to local into the correct order, from first to last.

Question 33mediumdrag order
Study the full AAA explanation →

Drag and drop the steps of RADIUS CoA (Change of Authorization) message flow into the correct order, from first to last.

Question 34mediumdrag order
Study the full AAA explanation →

Drag and drop the steps of AAA accounting for command logging setup into the correct order, from first to last.

Question 35mediumdrag order
Study the full AAA explanation →

Drag and drop the steps of ISE RADIUS policy evaluation order into the correct order, from first to last.

Question 36mediumdrag order
Study the full AAA explanation →

Drag and drop the steps of TACACS+ command authorization flow into the correct order, from first to last.

Question 37mediumdrag order
Study the full AAA explanation →

Drag and drop the steps of AAA method list fallback from RADIUS to local into the correct order, from first to last.

Question 38mediumdrag order
Study the full AAA explanation →

Drag and drop the steps of RADIUS CoA (Change of Authorization) message flow into the correct order, from first to last.

Question 39mediumdrag order
Study the full AAA explanation →

Drag and drop the steps of AAA accounting for command logging setup into the correct order, from first to last.

Question 40mediumdrag order
Study the full AAA explanation →

Drag and drop the steps of ISE RADIUS policy evaluation order into the correct order, from first to last.

Question 41mediummatching
Study the full AAA explanation →

Drag and drop each protocol on the left to its matching characteristic on the right.

Question 42mediummatching
Study the full AAA explanation →

Drag and drop each AAA function on the left to its correct description on the right.

Question 43mediummatching
Study the full AAA explanation →

Drag and drop each RADIUS attribute on the left to its correct attribute number on the right.

Question 44mediummatching
Study the full AAA explanation →

Drag and drop each AAA method list on the left to its correct fallback order on the right.

Question 45mediummatching
Study the full AAA explanation →

Drag and drop each TACACS+ packet type on the left to its correct function on the right.

Question 46mediummatching
Study the full AAA explanation →

Drag and drop each protocol on the left to its matching characteristic on the right.

Question 47mediummatching
Study the full AAA explanation →

Drag and drop each AAA function on the left to its matching description on the right.

Question 48mediummatching
Study the full AAA explanation →

Drag and drop each RADIUS attribute name on the left to its matching attribute number on the right.

Question 49hardmatching
Study the full AAA explanation →

Drag and drop each AAA method list type on the left to its correct fallback order (from first to last) on the right.

Question 50mediummatching
Study the full AAA explanation →

Drag and drop each TACACS+ packet type on the left to its matching function on the right.

Question 51mediummulti select
Study the full AAA explanation →

Which two statements about AAA accounting are true? (Choose two.)

Question 52hardmulti select
Study the full AAA explanation →

Which three statements about RADIUS and TACACS+ are true? (Choose three.)

Question 53easymulti select
Study the full AAA explanation →

Which two statements about local AAA and fallback methods are true? (Choose two.)

Question 54mediummulti select
Study the full AAA explanation →

Which three statements about RADIUS server configuration and operation are true? (Choose three.)

Question 55mediummulti select
Study the full AAA explanation →

Which two statements about AAA authentication methods are true? (Choose two.)

Question 56hardmulti select
Study the full AAA explanation →

Which three statements about RADIUS and TACACS+ are true? (Choose three.)

Question 57mediummulti select
Study the full AAA explanation →

Which two statements about AAA authorization and accounting are true? (Choose two.)

Question 58hardmulti select
Study the full AAA explanation →

Which three statements about configuring AAA on Cisco IOS devices are true? (Choose three.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CCNP Practice Test 1 — 10 Questions→CCNP Practice Test 2 — 10 Questions→CCNP Practice Test 3 — 10 Questions→CCNP Practice Test 4 — 10 Questions→CCNP Practice Test 5 — 10 Questions→CCNP Practice Exam 1 — 20 Questions→CCNP Practice Exam 2 — 20 Questions→CCNP Practice Exam 3 — 20 Questions→CCNP Practice Exam 4 — 20 Questions→Free CCNP Practice Test 1 — 30 Questions→Free CCNP Practice Test 2 — 30 Questions→Free CCNP Practice Test 3 — 30 Questions→CCNP Practice Questions 1 — 50 Questions→CCNP Practice Questions 2 — 50 Questions→CCNP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

ArchitectureEnterprise Network DesignSD-Access ArchitectureSD-WAN ArchitectureQoS ArchitectureVirtualizationNetwork Function VirtualizationVirtual Machines and HypervisorsVRF and Path IsolationInfrastructureOSPFBGPEIGRPVLANs and TrunkingSpanning Tree ProtocolEtherChannelWireless InfrastructureMPLSWAN TechnologiesNAT and DHCPIP MulticastQoSNetwork AssuranceSNMP and SyslogNetFlow and TelemetrySPAN and RSPANIP SLASecurityAAA, RADIUS, and TACACS+ACLs and CoPP802.1X and TrustSecVPN TechnologiesInfrastructure SecurityAutomationPython for Network AutomationAnsible AutomationREST APIs and Data ModelsCisco DNA CenterModel-Driven Telemetry

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All AAA, RADIUS, and TACACS+ setsAll AAA, RADIUS, and TACACS+ questionsCCNP Practice Hub