Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-401TopicsAAA, RADIUS, and TACACS+
Free · No Signup RequiredCisco · 350-401

350-401 AAA, RADIUS, and TACACS+ Practice Questions

20+ practice questions focused on AAA, RADIUS, and TACACS+ — one of the most tested topics on the ENCOR 350-401 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start AAA, RADIUS, and TACACS+ Practice

Exam Domains

ArchitectureEnterprise Network DesignSD-Access ArchitectureSD-WAN ArchitectureQoS ArchitectureVirtualizationNetwork Function VirtualizationAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample AAA, RADIUS, and TACACS+ Questions

Practice all 20+ →
1.

A network engineer is configuring AAA on a Cisco ISR router to authenticate administrative users via a RADIUS server. The engineer configures the router with the command 'aaa new-model' and then 'aaa authentication login default group radius local'. When the engineer attempts to SSH to the router using a username that exists only on the RADIUS server, the authentication fails. The RADIUS server is reachable and the shared secret is correct. What is the most likely cause of the failure?

A.The router's SSH service is not enabled.
B.The RADIUS server is rejecting the authentication because the user is not defined on the server, and the 'local' fallback only applies if the server is unreachable.
C.The 'aaa new-model' command must be followed by a 'aaa authentication login default local' command to use local authentication.
D.The router's VTY lines are not configured to use the default authentication list.

Explanation: The RADIUS server is not configured to authenticate the user, or the RADIUS server is not responding correctly. The 'local' fallback is only used if the RADIUS server does not respond, not if it rejects the authentication. The issue is that the RADIUS server is rejecting the authentication, possibly because the user is not defined on the server or the server's configuration does not match the router's request.

2.

An enterprise network uses TACACS+ for device administration and RADIUS for network access (VPN and wireless). The TACACS+ server is configured to authorize commands. A network engineer notices that after a recent upgrade of the TACACS+ server software, some commands that were previously authorized are now being denied. The engineer checks the router configuration and sees 'aaa authorization commands 15 default group tacacs+'. The TACACS+ server logs show that the authorization requests are being sent and responded to. What is the most likely cause?

A.The router's 'aaa authorization commands 15 default group tacacs+' command is missing the 'local' keyword, so if TACACS+ denies, there is no fallback.
B.The TACACS+ server upgrade changed the default authorization behavior from permissive to restrictive, requiring explicit 'permit' statements for each command, and the existing rules may not cover all commands.
C.The router's privilege level 15 is not correctly assigned to the user.
D.The TACACS+ server is not reachable due to a firewall change, causing the router to deny all commands.

Explanation: The TACACS+ server software upgrade likely changed the authorization model or the way commands are matched. The router sends the full command string to the TACACS+ server, and the server must have a matching rule. If the server's configuration now requires exact matching or has stricter parsing, previously allowed commands may be denied.

3.

A network engineer is configuring a Cisco switch for 802.1X port-based authentication. The switch is configured with a RADIUS server for authentication. The engineer wants to allow devices that fail 802.1X authentication to still access a limited guest VLAN. The engineer configures 'authentication port-control auto' and 'authentication host-mode multi-host' on the interface. However, when a non-802.1X-capable device is connected, the port remains in the unauthorized state and does not fall into the guest VLAN. What is missing?

A.The interface needs the 'authentication guest-vlan <vlan-id>' command to specify the VLAN for non-802.1X devices.
B.The switch must have 'aaa authentication dot1x default group radius' configured globally.
C.The 'authentication host-mode multi-host' command should be replaced with 'authentication host-mode multi-domain' to support guest VLAN.
D.The port must be configured as a trunk port to allow the guest VLAN.

Explanation: For a port to move to a guest VLAN when authentication fails, the switch must be configured with a guest VLAN on that interface. The 'authentication port-control auto' enables 802.1X, but without a guest VLAN defined, the port stays unauthorized on failure.

4.

A company is deploying a new Cisco wireless LAN controller (WLC) and wants to use RADIUS for authenticating wireless users. The WLC is configured with the RADIUS server IP, shared secret, and authentication port 1812. However, users are unable to authenticate. The network engineer checks the RADIUS server logs and sees that the server is receiving authentication requests from the WLC but is responding with an 'Access-Reject' message. The WLC logs show 'RADIUS server not responding' for the same server. What is the most likely cause?

A.The RADIUS server is configured to use a different source IP address for RADIUS responses than the IP address configured on the WLC, causing the WLC to drop the responses.
B.The WLC is configured with the wrong authentication port; RADIUS uses port 1645, not 1812.
C.The WLC's RADIUS server configuration has the wrong shared secret, causing the server to reject requests.
D.The WLC is not configured with a valid management interface IP address to reach the RADIUS server.

Explanation: The WLC is interpreting the 'Access-Reject' as a non-response because the RADIUS server is using a different source port for the response, or the WLC is not configured to accept responses from the server's source IP. However, the most common cause is that the RADIUS server is sending the response from a different IP address than the one configured on the WLC, or the WLC has a mismatch in the shared secret. But since the server logs show requests are received and rejected, the shared secret is likely correct. The issue is that the WLC might be expecting the response on a different port or from a different IP, but the scenario says 'RADIUS server not responding' which typically means the WLC did not receive a response. This could be due to the RADIUS server sending the response from a different source IP (e.g., a secondary IP) than the one configured on the WLC, or a firewall blocking the response. However, the most plausible cause is that the RADIUS server is configured to use a different source IP for RADIUS traffic than the one the WLC expects.

5.

A network engineer is configuring a Cisco router to use TACACS+ for authentication and authorization of EXEC sessions. The engineer configures 'aaa new-model', 'aaa authentication login default group tacacs+ local', and 'aaa authorization exec default group tacacs+ local'. When a user tries to log in via SSH, the router prompts for username and password, but after entering correct credentials, the user is immediately disconnected. The TACACS+ server logs show that the authentication was successful. What is the most likely cause?

A.The TACACS+ server is not configured to authorize the user for EXEC access, so it sends a 'deny' response, causing the router to disconnect the user.
B.The 'aaa authorization exec' command should be 'aaa authorization commands 15' to allow the user to execute commands after login.
C.The router's SSH configuration is missing the 'ip ssh authentication-retries' command.
D.The 'local' fallback in the authorization command is overriding the TACACS+ response.

Explanation: The user is authenticated successfully, but the authorization for EXEC (shell) is failing. The 'aaa authorization exec default group tacacs+ local' command means the router will first try TACACS+ for EXEC authorization; if TACACS+ does not respond, it falls back to local. However, if TACACS+ responds with a deny for EXEC authorization, the user is denied access and disconnected. The TACACS+ server may not have a shell profile for the user, or the authorization rule denies EXEC access.

+15 more AAA, RADIUS, and TACACS+ questions available

Practice all AAA, RADIUS, and TACACS+ questions

How to master AAA, RADIUS, and TACACS+ for 350-401

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of AAA, RADIUS, and TACACS+. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

AAA, RADIUS, and TACACS+ questions on the 350-401 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many 350-401 AAA, RADIUS, and TACACS+ questions are on the real exam?

The exact number varies per candidate. AAA, RADIUS, and TACACS+ is tested as part of the ENCOR 350-401 blueprint. Practicing with targeted AAA, RADIUS, and TACACS+ questions ensures you can handle any format or difficulty that appears.

Are these 350-401 AAA, RADIUS, and TACACS+ practice questions free?

Yes. Courseiva provides free 350-401 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is AAA, RADIUS, and TACACS+ one of the harder 350-401 topics?

Difficulty is subjective, but AAA, RADIUS, and TACACS+ is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full AAA, RADIUS, and TACACS+ practice session with instant scoring and detailed explanations.

Start AAA, RADIUS, and TACACS+ Practice →

Topic Info

Topic

AAA, RADIUS, and TACACS+

Exam

350-401

Questions available

20+