Practice 350-401 AAA, RADIUS, and TACACS+ questions with full explanations on every answer.
Start practicing
AAA, RADIUS, and TACACS+ — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A network engineer is configuring AAA on a Cisco ISR router to authenticate administrative users via a RADIUS server. The engineer configures the router with the command 'aaa new-model' and then 'aaa authentication login default group radius local'. When the engineer attempts to SSH to the router using a username that exists only on the RADIUS server, the authentication fails. The RADIUS server is reachable and the shared secret is correct. What is the most likely cause of the failure?
2An enterprise network uses TACACS+ for device administration and RADIUS for network access (VPN and wireless). The TACACS+ server is configured to authorize commands. A network engineer notices that after a recent upgrade of the TACACS+ server software, some commands that were previously authorized are now being denied. The engineer checks the router configuration and sees 'aaa authorization commands 15 default group tacacs+'. The TACACS+ server logs show that the authorization requests are being sent and responded to. What is the most likely cause?
3A network engineer is configuring a Cisco switch for 802.1X port-based authentication. The switch is configured with a RADIUS server for authentication. The engineer wants to allow devices that fail 802.1X authentication to still access a limited guest VLAN. The engineer configures 'authentication port-control auto' and 'authentication host-mode multi-host' on the interface. However, when a non-802.1X-capable device is connected, the port remains in the unauthorized state and does not fall into the guest VLAN. What is missing?
4A company is deploying a new Cisco wireless LAN controller (WLC) and wants to use RADIUS for authenticating wireless users. The WLC is configured with the RADIUS server IP, shared secret, and authentication port 1812. However, users are unable to authenticate. The network engineer checks the RADIUS server logs and sees that the server is receiving authentication requests from the WLC but is responding with an 'Access-Reject' message. The WLC logs show 'RADIUS server not responding' for the same server. What is the most likely cause?
5A network engineer is configuring a Cisco router to use TACACS+ for authentication and authorization of EXEC sessions. The engineer configures 'aaa new-model', 'aaa authentication login default group tacacs+ local', and 'aaa authorization exec default group tacacs+ local'. When a user tries to log in via SSH, the router prompts for username and password, but after entering correct credentials, the user is immediately disconnected. The TACACS+ server logs show that the authentication was successful. What is the most likely cause?
6A network engineer is configuring a Cisco switch for 802.1X with RADIUS authentication. The switch is also configured with 'aaa authentication dot1x default group radius'. The engineer wants to use a single RADIUS server for both authentication and accounting. The RADIUS server is configured with the same shared secret for both services. The engineer configures 'radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key cisco123'. However, accounting records are not being sent to the server. The engineer verifies that the RADIUS server is reachable and that accounting is enabled on the server. What is the most likely cause?
7A network engineer is configuring a Cisco router to use TACACS+ for command authorization. The engineer configures 'aaa authorization commands 15 default group tacacs+ local'. When a user with privilege level 15 tries to execute the 'reload' command, the router sends an authorization request to the TACACS+ server. The server responds with an 'Access-Accept' but the command is still denied. The engineer checks the router's configuration and sees that 'aaa accounting commands 15 default start-stop group tacacs+' is also configured. What could be the issue?
8An organization uses a Cisco ISE as the RADIUS server for both wired and wireless authentication. The network engineer configures a Cisco switch with 'aaa authentication dot1x default group radius' and 'aaa authorization network default group radius'. When a user connects via 802.1X, authentication succeeds, but the user is placed in the wrong VLAN. The RADIUS server sends a 'Tunnel-Private-Group-ID' attribute with the correct VLAN name. The switch has the VLAN defined. What is the most likely cause?
9A network engineer is configuring a Cisco router for AAA using a RADIUS server. The engineer wants to ensure that if the RADIUS server is unreachable, the router falls back to local authentication for console access. The engineer configures 'aaa authentication login default group radius local' and 'aaa authentication login CONSOLE local'. The console line is configured with 'login authentication CONSOLE'. However, when the RADIUS server is down, the engineer cannot log in via the console. What is the problem?
10A network engineer runs the following command on Router R1: R1# show aaa sessions Total sessions since last reload: 5 Session Id: 1 Unique Id: 1 User Name: admin IP Address: 10.1.1.100 Idle Time: 0 Timeout: 0 Type: Login Method: RADIUS Session Id: 2 Unique Id: 2 User Name: jdoe IP Address: 10.1.1.101 Idle Time: 120 Timeout: 0 Type: Login Method: LOCAL Based on this output, what can be concluded?
11A network administrator issues the following command on a Cisco switch: Switch# show aaa servers RADIUS: id 1, priority 1, host 192.168.1.10, auth-port 1812, acct-port 1813 State: current UP, duration 3600s, previous duration 0s Dead: total 0, retransmit 0 RADIUS: id 2, priority 2, host 192.168.1.20, auth-port 1812, acct-port 1813 State: current UP, duration 100s, previous duration 300s Dead: total 3, retransmit 2 Based on this output, what can be concluded?
12A network engineer runs the following debug on a router: R1# debug aaa authentication *Mar 1 00:01:23.456: AAA/BIND(00000001): Bind iplist *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Pick method list 'default' *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Method=RADIUS *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): RADIUS server 10.1.1.10:1812, timeout 5, retransmit 2 *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Sent username 'admin', password **** *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Received PASS response *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Pass Based on this output, what can be concluded?
13A network administrator checks the AAA configuration on a router: R1# show running-config | include aaa aaa new-model aaa authentication login default group radius local aaa authentication login console local aaa authorization exec default group tacacs+ local aaa accounting exec default start-stop group radius Based on this output, what can be concluded?
14A network engineer issues the following command on a router: R1# show tacacs TACACS+ Server: 10.1.1.10/49 Socket opens: 5 Socket closes: 3 Socket aborts: 0 Total packets sent: 10 Total packets received: 9 Retransmissions: 1 Timeouts: 1 Current idle time: 30 seconds Based on this output, what can be concluded?
15A network administrator runs the following command on a switch: Switch# show aaa method-list Method List Name: default Type: authentication Group: radius Group: local Method List Name: console Type: authentication Group: local Method List Name: default Type: authorization Group: tacacs+ Group: local Based on this output, what can be concluded?
16A network engineer checks the AAA server status: R1# show aaa servers RADIUS: id 1, priority 1, host 10.1.1.10, auth-port 1812, acct-port 1813 State: current DEAD, duration 0s, previous duration 500s Dead: total 1, retransmit 3 RADIUS: id 2, priority 2, host 10.1.1.20, auth-port 1812, acct-port 1813 State: current UP, duration 200s, previous duration 0s Dead: total 0, retransmit 0 Based on this output, what can be concluded?
17A network administrator runs the following debug on a router: R1# debug aaa authorization *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Processing author request for user 'jdoe' *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Method=TACACS+ *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): TACACS+ server 10.1.1.10:49, timeout 5 *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Sent author request *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Received PASS response *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Pass Based on this output, what can be concluded?
18A network engineer checks AAA accounting on a router: R1# show aaa accounting Accounting method list 'default': Type: exec Start-stop: group radius Accounting records: Total started: 10 Total stopped: 8 Total failed: 2 Last record: user 'admin', start time 00:01:00 UTC Mar 1 2023 Based on this output, what can be concluded?
19Examine the following AAA configuration snippet: aaa new-model aaa authentication login default local aaa authentication login CONSOLE local aaa authorization exec default local aaa accounting exec default start-stop group tacacs+ line con 0 login authentication CONSOLE line vty 0 4 login authentication default What is the effect of this configuration?
20Given the following configuration: aaa new-model aaa authentication login default group radius local aaa authorization exec default group radius local aaa accounting exec default start-stop group radius radius-server host 192.168.1.100 key Cisco123 radius-server host 192.168.1.101 key Cisco123 Which statement is true about this configuration?
21Consider this AAA configuration: aaa new-model aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local aaa accounting exec default stop-only group tacacs+ tacacs-server host 10.0.0.1 key SecretKey tacacs-server host 10.0.0.2 key SecretKey What is the effect of the accounting command?
22Examine this configuration: aaa new-model aaa authentication login default local aaa authorization exec default local aaa accounting exec default start-stop group tacacs+ line vty 0 4 login authentication default privilege level 15 What is missing to ensure that VTY users are authenticated via TACACS+?
23Given this configuration: aaa new-model aaa authentication login default group radius aaa authorization exec default group radius aaa accounting exec default start-stop group radius radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key radiuskey radius-server host 192.168.1.2 auth-port 1645 acct-port 1646 key radiuskey Which statement is true about the RADIUS server ports?
24Consider this AAA configuration: aaa new-model aaa authentication login default local aaa authorization exec default local aaa accounting exec default start-stop group tacacs+ tacacs-server host 10.0.0.1 key SecretKey line con 0 login authentication default line vty 0 4 login authentication default What is the effect of this configuration?
25What is the default port used by TACACS+ for communication?
26Which statement correctly describes the difference between RADIUS and TACACS+?
27What is the purpose of the 'aaa authorization exec default local' command?
28Drag and drop the steps of the RADIUS authentication process into the correct order, from first to last.
29Drag and drop the steps of the TACACS+ authentication process into the correct order, from first to last.
30Drag and drop the steps of configuring AAA on a Cisco IOS device into the correct order, from first to last.
31Drag and drop the steps of TACACS+ command authorization flow into the correct order, from first to last.
32Drag and drop the steps of AAA method list fallback from RADIUS to local into the correct order, from first to last.
33Drag and drop the steps of RADIUS CoA (Change of Authorization) message flow into the correct order, from first to last.
34Drag and drop the steps of AAA accounting for command logging setup into the correct order, from first to last.
35Drag and drop the steps of ISE RADIUS policy evaluation order into the correct order, from first to last.
36Drag and drop the steps of TACACS+ command authorization flow into the correct order, from first to last.
37Drag and drop the steps of AAA method list fallback from RADIUS to local into the correct order, from first to last.
38Drag and drop the steps of RADIUS CoA (Change of Authorization) message flow into the correct order, from first to last.
39Drag and drop the steps of AAA accounting for command logging setup into the correct order, from first to last.
40Drag and drop the steps of ISE RADIUS policy evaluation order into the correct order, from first to last.
41Drag and drop each protocol on the left to its matching characteristic on the right.
42Drag and drop each AAA function on the left to its correct description on the right.
43Drag and drop each RADIUS attribute on the left to its correct attribute number on the right.
44Drag and drop each AAA method list on the left to its correct fallback order on the right.
45Drag and drop each TACACS+ packet type on the left to its correct function on the right.
46Drag and drop each protocol on the left to its matching characteristic on the right.
47Drag and drop each AAA function on the left to its matching description on the right.
48Drag and drop each RADIUS attribute name on the left to its matching attribute number on the right.
49Drag and drop each AAA method list type on the left to its correct fallback order (from first to last) on the right.
50Drag and drop each TACACS+ packet type on the left to its matching function on the right.
51Which two statements about AAA accounting are true? (Choose two.)
52Which three statements about RADIUS and TACACS+ are true? (Choose three.)
53Which two statements about local AAA and fallback methods are true? (Choose two.)
54Which three statements about RADIUS server configuration and operation are true? (Choose three.)
55Which two statements about AAA authentication methods are true? (Choose two.)
56Which three statements about RADIUS and TACACS+ are true? (Choose three.)
57Which two statements about AAA authorization and accounting are true? (Choose two.)
58Which three statements about configuring AAA on Cisco IOS devices are true? (Choose three.)
The AAA, RADIUS, and TACACS+ domain covers the key concepts tested in this area of the 350-401 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-401 domains — no account required.
The Courseiva 350-401 question bank contains 58 questions in the AAA, RADIUS, and TACACS+ domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the AAA, RADIUS, and TACACS+ domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included