20+ practice questions focused on AAA, RADIUS, and TACACS+ — one of the most tested topics on the ENCOR 350-401 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start AAA, RADIUS, and TACACS+ PracticeA network engineer is configuring AAA on a Cisco ISR router to authenticate administrative users via a RADIUS server. The engineer configures the router with the command 'aaa new-model' and then 'aaa authentication login default group radius local'. When the engineer attempts to SSH to the router using a username that exists only on the RADIUS server, the authentication fails. The RADIUS server is reachable and the shared secret is correct. What is the most likely cause of the failure?
Explanation: The RADIUS server is not configured to authenticate the user, or the RADIUS server is not responding correctly. The 'local' fallback is only used if the RADIUS server does not respond, not if it rejects the authentication. The issue is that the RADIUS server is rejecting the authentication, possibly because the user is not defined on the server or the server's configuration does not match the router's request.
An enterprise network uses TACACS+ for device administration and RADIUS for network access (VPN and wireless). The TACACS+ server is configured to authorize commands. A network engineer notices that after a recent upgrade of the TACACS+ server software, some commands that were previously authorized are now being denied. The engineer checks the router configuration and sees 'aaa authorization commands 15 default group tacacs+'. The TACACS+ server logs show that the authorization requests are being sent and responded to. What is the most likely cause?
Explanation: The TACACS+ server software upgrade likely changed the authorization model or the way commands are matched. The router sends the full command string to the TACACS+ server, and the server must have a matching rule. If the server's configuration now requires exact matching or has stricter parsing, previously allowed commands may be denied.
A network engineer is configuring a Cisco switch for 802.1X port-based authentication. The switch is configured with a RADIUS server for authentication. The engineer wants to allow devices that fail 802.1X authentication to still access a limited guest VLAN. The engineer configures 'authentication port-control auto' and 'authentication host-mode multi-host' on the interface. However, when a non-802.1X-capable device is connected, the port remains in the unauthorized state and does not fall into the guest VLAN. What is missing?
Explanation: For a port to move to a guest VLAN when authentication fails, the switch must be configured with a guest VLAN on that interface. The 'authentication port-control auto' enables 802.1X, but without a guest VLAN defined, the port stays unauthorized on failure.
A company is deploying a new Cisco wireless LAN controller (WLC) and wants to use RADIUS for authenticating wireless users. The WLC is configured with the RADIUS server IP, shared secret, and authentication port 1812. However, users are unable to authenticate. The network engineer checks the RADIUS server logs and sees that the server is receiving authentication requests from the WLC but is responding with an 'Access-Reject' message. The WLC logs show 'RADIUS server not responding' for the same server. What is the most likely cause?
Explanation: The WLC is interpreting the 'Access-Reject' as a non-response because the RADIUS server is using a different source port for the response, or the WLC is not configured to accept responses from the server's source IP. However, the most common cause is that the RADIUS server is sending the response from a different IP address than the one configured on the WLC, or the WLC has a mismatch in the shared secret. But since the server logs show requests are received and rejected, the shared secret is likely correct. The issue is that the WLC might be expecting the response on a different port or from a different IP, but the scenario says 'RADIUS server not responding' which typically means the WLC did not receive a response. This could be due to the RADIUS server sending the response from a different source IP (e.g., a secondary IP) than the one configured on the WLC, or a firewall blocking the response. However, the most plausible cause is that the RADIUS server is configured to use a different source IP for RADIUS traffic than the one the WLC expects.
A network engineer is configuring a Cisco router to use TACACS+ for authentication and authorization of EXEC sessions. The engineer configures 'aaa new-model', 'aaa authentication login default group tacacs+ local', and 'aaa authorization exec default group tacacs+ local'. When a user tries to log in via SSH, the router prompts for username and password, but after entering correct credentials, the user is immediately disconnected. The TACACS+ server logs show that the authentication was successful. What is the most likely cause?
Explanation: The user is authenticated successfully, but the authorization for EXEC (shell) is failing. The 'aaa authorization exec default group tacacs+ local' command means the router will first try TACACS+ for EXEC authorization; if TACACS+ does not respond, it falls back to local. However, if TACACS+ responds with a deny for EXEC authorization, the user is denied access and disconnected. The TACACS+ server may not have a shell profile for the user, or the authorization rule denies EXEC access.
+15 more AAA, RADIUS, and TACACS+ questions available
Practice all AAA, RADIUS, and TACACS+ questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of AAA, RADIUS, and TACACS+. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
AAA, RADIUS, and TACACS+ questions on the 350-401 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. AAA, RADIUS, and TACACS+ is tested as part of the ENCOR 350-401 blueprint. Practicing with targeted AAA, RADIUS, and TACACS+ questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free 350-401 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but AAA, RADIUS, and TACACS+ is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full AAA, RADIUS, and TACACS+ practice session with instant scoring and detailed explanations.
Start AAA, RADIUS, and TACACS+ Practice →