20+ practice questions focused on Device Access Control — one of the most tested topics on the Cisco CCNP ENARSI 300-410 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Device Access Control PracticeA network engineer is troubleshooting a site-to-site VPN between two Cisco routers. The tunnel is up, but traffic is not passing. On R1, the engineer issues the command 'show crypto map' and sees that the crypto map is applied to the outbound interface. What is the most likely cause of the traffic failure?
Explanation: The crypto map must be applied to the interface through which VPN traffic exits. If it is applied to the wrong interface (e.g., a loopback or a LAN interface instead of the WAN-facing interface), the router will not encrypt outbound traffic or decrypt inbound traffic for the VPN, even though the tunnel (ISAKMP/IPsec SA) may be established. The show crypto map output confirming the map is on the outbound interface indicates a misapplication, as the correct interface is the one facing the remote peer.
A network administrator is configuring AAA for device access on a Cisco router. After configuring the RADIUS server and AAA authentication login default group radius local, the engineer tests Telnet access and receives 'Access denied' even with correct credentials. The RADIUS server is reachable. What is the most likely cause?
Explanation: The 'login authentication default' command must be applied to the VTY lines to use the AAA authentication method set globally with 'aaa authentication login default group radius local'. Without this, the VTY lines default to using the local enable password for authentication, ignoring the AAA configuration. Since the RADIUS server is reachable and credentials are correct, the missing VTY line configuration is the most likely cause of the 'Access denied' error.
An engineer configures a Cisco router for SSH access. The router has an IP address on interface GigabitEthernet0/0, and the engineer generates RSA keys using the command 'crypto key generate rsa modulus 2048'. However, SSH connections fail with 'Connection refused'. What is the most likely cause?
Explanation: SSH requires a fully qualified domain name (FQDN) to generate RSA keys. Without a configured hostname and domain name, the 'crypto key generate rsa' command may appear to succeed but actually generates default keys that are not bound to the router's identity, causing SSH to refuse connections. The 'ip domain-name' and 'hostname' commands are prerequisites for proper RSA key generation and SSH operation.
A network engineer is troubleshooting a Cisco router that is not responding to SNMP polls from a management station. The router has 'snmp-server community public RO' configured. The management station can ping the router. What is the most likely cause?
Explanation: The 'snmp-server community public RO' command configures an SNMP community string but does not restrict access by default. If no access control list (ACL) is associated with the community string, the router will respond to SNMP polls from any source. However, if an ACL is implicitly or explicitly applied that does not permit the management station's IP address, the router will silently drop the SNMP requests. Since the management station can ping the router, Layer 3 connectivity is confirmed, isolating the issue to SNMP-specific access control.
An engineer configures a Cisco router with 'aaa authentication login default local' and 'aaa authorization exec default local'. The engineer then attempts to log in via the console and is prompted for a username and password. The username 'admin' with password 'cisco' is configured locally. The login fails. What is the most likely cause?
Explanation: Option A is correct because, by default, the console line does not inherit the AAA authentication methods defined under 'aaa authentication login default local'. The 'login authentication default' command must be explicitly applied to the console line under line configuration to use the global AAA authentication method. Without it, the console line falls back to its default behavior, which does not use AAA, causing the login to fail despite the local user being configured.
+15 more Device Access Control questions available
Practice all Device Access Control questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Device Access Control. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Device Access Control questions on the 300-410 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Device Access Control is tested as part of the Cisco CCNP ENARSI 300-410 blueprint. Practicing with targeted Device Access Control questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free 300-410 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Device Access Control is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Device Access Control practice session with instant scoring and detailed explanations.
Start Device Access Control Practice →