Practice 350-401 802.1X and TrustSec questions with full explanations on every answer.
Start practicing
802.1X and TrustSec — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A network engineer is deploying 802.1X on a Cisco switch for a mixed environment of Windows laptops and IP phones. The engineer configures the switchport with 'authentication port-control auto' and 'dot1x pae authenticator'. After connecting a Windows laptop, the switch logs show 'Authentication failed' for the laptop. The engineer verifies that the RADIUS server is reachable and the laptop's supplicant is configured correctly. What is the most likely cause of the authentication failure?
2An enterprise is implementing Cisco TrustSec (CTS) to enforce role-based access control. The network engineer configures the switch with 'cts role-based enforcement' and 'cts manual' on an interface connecting to a trusted Cisco switch. The engineer also configures Security Group Tags (SGTs) on the RADIUS server. However, traffic between two hosts in different SGTs is not being filtered as expected. The engineer checks 'show cts role-based counters' and sees no drops. What is the most likely reason for the lack of enforcement?
3A network engineer is configuring 802.1X on a Cisco Catalyst 9300 switch for a wired network. The engineer wants to allow devices that do not support 802.1X (e.g., printers) to still access the network using MAB (MAC Authentication Bypass). The engineer configures the interface with 'authentication port-control auto', 'dot1x pae authenticator', and 'mab'. However, after connecting a printer, the switch logs show 'MAB failed' repeatedly. The printer's MAC address is in the RADIUS server database. What is the most likely cause?
4A network engineer is deploying Cisco TrustSec (CTS) with Security Group Access Control Lists (SGACLs) on a campus network. The engineer configures the switch with 'cts role-based enforcement' and assigns SGTs to users via 802.1X. The engineer tests connectivity between a user in SGT 10 and a server in SGT 20. The SGACL permits traffic from SGT 10 to SGT 20, but the user cannot reach the server. The engineer checks 'show cts role-based sgt map' and sees that the user's SGT is 0. What is the most likely cause?
5An organization is implementing 802.1X for wireless users using Cisco ISE as the RADIUS server. The network engineer configures the wireless LAN controller (WLC) with 802.1X authentication. Users report that they can connect to the SSID but cannot access any network resources. The engineer checks the WLC and sees that users are authenticated and assigned to VLAN 100. The engineer also checks the switchport connecting the WLC and sees it is a trunk. What is the most likely issue?
6A network engineer is configuring 802.1X on a Cisco switch for a voice VLAN deployment. The switchport is connected to an IP phone, which then connects to a PC. The engineer configures the interface with 'authentication port-control auto', 'dot1x pae authenticator', and 'switchport voice vlan 10'. The PC authenticates successfully, but the IP phone does not get an IP address from the voice VLAN. The engineer verifies that the phone is configured for 802.1X and the RADIUS server is correct. What is the most likely cause?
7A network engineer is implementing Cisco TrustSec (CTS) with Security Group Tags (SGTs) using SXP (SGT Exchange Protocol). The engineer configures the switch as an SXP speaker and the Cisco ISE as an SXP listener. The engineer verifies that SXP peers are established. However, when the engineer checks 'show cts role-based sgt map', the SGT mappings for users are not present. What is the most likely cause?
8A network engineer is configuring 802.1X on a Cisco switch for a guest network. The engineer wants to allow guests to access the internet after authentication but restrict access to internal resources. The engineer configures the switch with 'authentication port-control auto' and a downloadable ACL (dACL) from the RADIUS server. After a guest authenticates, the engineer tests connectivity and finds that the guest can access internal servers. What is the most likely cause?
9A network engineer is deploying 802.1X with Cisco ISE for a wired network. The engineer wants to use CoA (Change of Authorization) to dynamically change the VLAN of a user after authentication. The engineer configures the switch with 'aaa server radius dynamic-author' and the ISE with CoA settings. When the engineer tests CoA from ISE, the switch logs show 'CoA request received' but the VLAN does not change. What is the most likely cause?
10A network engineer runs the following command on switch SW1: SW1# show authentication sessions interface GigabitEthernet1/0/1 Interface: GigabitEthernet1/0/1 MAC Address: 0011.2233.4455 IP Address: 192.168.1.100 Status: Authz Success Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Common Session ID: 0A1B2C3D4E5F6G7H8I9J Acct Session ID: 0x0000000A Handle: 0x00000001 Current Method List: mab Method: MAB State: Authz Success Based on this output, what can be concluded?
11A network engineer runs the following command on switch SW2: SW2# show cts role-based sgt-map Active IPv4-SGT Mapping Table: IP Address SGT 192.168.1.10 10 192.168.1.20 20 192.168.1.30 30 Total number of entries: 3 Based on this output, what can be concluded?
12A network engineer runs the following command on switch SW3: SW3# show cts role-based permissions IPv4 Role-based permissions: Source Group Dest Group Action 10 20 PERMIT 10 30 DENY 20 30 PERMIT Based on this output, what can be concluded?
13A network engineer runs the following command on switch SW4: SW4# show cts environment-data CTS Environment Data: Device ID: SW4.cisco.com Device Name: SW4 CTS Capabilities: SGT, SXP, CTSD, CTSA SGT: 100 SXP Node: Enabled SXP Connection: 10.1.1.1:64999 Based on this output, what can be concluded?
14A network engineer runs the following command on switch SW5: SW5# show cts sxp connections SXP Connections: Peer IP Source IP Conn Status Duration 10.1.1.1 10.1.1.2 Up 2d3h 10.1.1.3 10.1.1.2 Down 0d0h Based on this output, what can be concluded?
15A network engineer runs the following command on switch SW6: SW6# show cts role-based counters Role-based counters: Source Group Dest Group Packets Sent Bytes Sent Packets Denied Bytes Denied 10 20 1500 120000 0 0 10 30 0 0 500 40000 Based on this output, what can be concluded?
16A network engineer runs the following command on switch SW7: SW7# show authentication registrations Authentication Method Registrations: Method Priority Type dot1x 10 Interface mab 20 Interface webauth 30 Interface Based on this output, what can be concluded?
17A network engineer runs the following command on switch SW8: SW8# show cts role-based sgt-map 192.168.1.10 IP Address: 192.168.1.10 SGT: 10 Source: SXP Based on this output, what can be concluded?
18A network engineer runs the following command on switch SW9: SW9# show cts role-based policy Role-based policy: Source Group Dest Group Action 10 20 PERMIT 10 30 DENY 20 30 PERMIT Based on this output, what can be concluded?
19Consider the following configuration on a Cisco IOS-XE switch: interface GigabitEthernet1/0/1 switchport mode access authentication port-control auto dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast What is the effect of this configuration?
20Examine the following configuration snippet: interface GigabitEthernet1/0/2 switchport mode access authentication port-control auto mab dot1x pae authenticator dot1x timeout tx-period 10 Which statement about this configuration is true?
21Consider the following TrustSec configuration on a Cisco switch: cts role-based enforcement interface GigabitEthernet1/0/3 cts manual sap pmk 0123456789ABCDEF mode-list both What is the purpose of this configuration?
22Examine the following configuration: aaa new-model aaa authentication dot1x default group radius dot1x system-auth-control interface GigabitEthernet1/0/4 switchport mode access authentication port-control auto dot1x pae authenticator dot1x timeout quiet-period 30 What is the effect of the 'dot1x timeout quiet-period 30' command?
23Consider this configuration for TrustSec on a Cisco switch: cts role-based enforcement interface GigabitEthernet1/0/5 cts manual sap pmk AABBCCDDEEFF00112233445566778899 mode-list both propagate sgt What is the purpose of the 'propagate sgt' command under the interface?
24Examine the following configuration on a Cisco IOS-XE switch: interface GigabitEthernet1/0/6 switchport mode access authentication port-control auto dot1x pae authenticator dot1x timeout tx-period 3 dot1x max-req 3 dot1x timeout supp-timeout 10 What is the total time the switch will wait for a supplicant to respond before failing authentication?
25What is the default quiet-period timer value in Cisco IOS 802.1X configuration?
26In Cisco TrustSec, which component is responsible for assigning a Security Group Tag (SGT) to a user or device based on authentication?
27What is the default tx-period timer value in Cisco IOS 802.1X configuration?
28Drag and drop the steps of the 802.1X EAP-TLS authentication exchange into the correct order, from first to last.
29Drag and drop the steps of TrustSec SGT classification and enforcement into the correct order, from first to last.
30Drag and drop the steps of 802.1X port authentication with MAB fallback into the correct order, from first to last.
31Drag and drop the steps of MAB (MAC Authentication Bypass) fallback flow into the correct order, from first to last.
32Drag and drop the steps of TrustSec SGT assignment and propagation via SXP into the correct order, from first to last.
33Drag and drop the steps of IBNS 2.0 concurrent authentication policy map into the correct order, from first to last.
34Drag and drop the steps of ISE profiling-based dynamic ACL assignment into the correct order, from first to last.
35Drag and drop the steps of Cisco TrustSec inline tagging across fabric into the correct order, from first to last.
36Drag and drop the steps of MAB (MAC Authentication Bypass) fallback flow into the correct order, from first to last.
37Drag and drop the steps of TrustSec SGT assignment and propagation via SXP into the correct order, from first to last.
38Drag and drop the steps of IBNS 2.0 concurrent authentication policy map into the correct order, from first to last.
39Drag and drop the steps of ISE profiling-based dynamic ACL assignment into the correct order, from first to last.
40Drag and drop the steps of Cisco TrustSec inline tagging across fabric into the correct order, from first to last.
41Drag and drop each 802.1X component on the left to its matching role on the right.
42Drag and drop each EAP method on the left to its matching authentication type on the right.
43Drag and drop each TrustSec component on the left to its matching function on the right.
44Drag and drop each authentication mode on the left to its matching behavior on the right.
45Drag and drop each ISE policy result on the left to its matching enforcement action on the right.
46Drag and drop each 802.1X component on the left to its matching role on the right.
47Drag and drop each EAP method on the left to its matching authentication type on the right.
48Drag and drop each TrustSec component on the left to its matching function on the right.
49Drag and drop each authentication mode on the left to its matching behavior on the right.
50Drag and drop each ISE policy result on the left to its matching enforcement action on the right.
51Which two statements about Cisco TrustSec security group tags (SGTs) are true? (Choose two.)
52Which three statements about 802.1X port-based authentication are true? (Choose three.)
53Which two statements about 802.1X authentication with MAC Authentication Bypass (MAB) are true? (Choose two.)
54Which three statements about Cisco TrustSec security group access control lists (SGACLs) are true? (Choose three.)
55Which two statements about 802.1X authentication process are true? (Choose two.)
56Which three statements about Cisco TrustSec (CTS) are true? (Choose three.)
57Which two statements about 802.1X port states and access control are true? (Choose two.)
58Which three statements about Cisco TrustSec SGT propagation and enforcement are true? (Choose three.)
The 802.1X and TrustSec domain covers the key concepts tested in this area of the 350-401 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-401 domains — no account required.
The Courseiva 350-401 question bank contains 58 questions in the 802.1X and TrustSec domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the 802.1X and TrustSec domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included