Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← 802.1X and TrustSec practice sets

350-401 802.1X and TrustSec • Complete Question Bank

350-401 802.1X and TrustSec — All Questions With Answers

Complete 350-401 802.1X and TrustSec question bank — all 0 questions with answers and detailed explanations.

58
Questions
Free
No signup
Certifications/350-401/Practice Test/802.1X and TrustSec/All Questions
Question 1mediummultiple choice
Study the full AAA explanation →

A network engineer is deploying 802.1X on a Cisco switch for a mixed environment of Windows laptops and IP phones. The engineer configures the switchport with 'authentication port-control auto' and 'dot1x pae authenticator'. After connecting a Windows laptop, the switch logs show 'Authentication failed' for the laptop. The engineer verifies that the RADIUS server is reachable and the laptop's supplicant is configured correctly. What is the most likely cause of the authentication failure?

Question 2hardmultiple choice
Study the full AAA explanation →

An enterprise is implementing Cisco TrustSec (CTS) to enforce role-based access control. The network engineer configures the switch with 'cts role-based enforcement' and 'cts manual' on an interface connecting to a trusted Cisco switch. The engineer also configures Security Group Tags (SGTs) on the RADIUS server. However, traffic between two hosts in different SGTs is not being filtered as expected. The engineer checks 'show cts role-based counters' and sees no drops. What is the most likely reason for the lack of enforcement?

Question 3mediummultiple choice
Study the full AAA explanation →

A network engineer is configuring 802.1X on a Cisco Catalyst 9300 switch for a wired network. The engineer wants to allow devices that do not support 802.1X (e.g., printers) to still access the network using MAB (MAC Authentication Bypass). The engineer configures the interface with 'authentication port-control auto', 'dot1x pae authenticator', and 'mab'. However, after connecting a printer, the switch logs show 'MAB failed' repeatedly. The printer's MAC address is in the RADIUS server database. What is the most likely cause?

Question 4hardmultiple choice
Study the full ACL explanation →

A network engineer is deploying Cisco TrustSec (CTS) with Security Group Access Control Lists (SGACLs) on a campus network. The engineer configures the switch with 'cts role-based enforcement' and assigns SGTs to users via 802.1X. The engineer tests connectivity between a user in SGT 10 and a server in SGT 20. The SGACL permits traffic from SGT 10 to SGT 20, but the user cannot reach the server. The engineer checks 'show cts role-based sgt map' and sees that the user's SGT is 0. What is the most likely cause?

Question 5mediummultiple choice
Open the full VLAN trunking answer →

An organization is implementing 802.1X for wireless users using Cisco ISE as the RADIUS server. The network engineer configures the wireless LAN controller (WLC) with 802.1X authentication. Users report that they can connect to the SSID but cannot access any network resources. The engineer checks the WLC and sees that users are authenticated and assigned to VLAN 100. The engineer also checks the switchport connecting the WLC and sees it is a trunk. What is the most likely issue?

Question 6mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is configuring 802.1X on a Cisco switch for a voice VLAN deployment. The switchport is connected to an IP phone, which then connects to a PC. The engineer configures the interface with 'authentication port-control auto', 'dot1x pae authenticator', and 'switchport voice vlan 10'. The PC authenticates successfully, but the IP phone does not get an IP address from the voice VLAN. The engineer verifies that the phone is configured for 802.1X and the RADIUS server is correct. What is the most likely cause?

Question 7hardmultiple choice
Read the full 802.1X and TrustSec explanation →

A network engineer is implementing Cisco TrustSec (CTS) with Security Group Tags (SGTs) using SXP (SGT Exchange Protocol). The engineer configures the switch as an SXP speaker and the Cisco ISE as an SXP listener. The engineer verifies that SXP peers are established. However, when the engineer checks 'show cts role-based sgt map', the SGT mappings for users are not present. What is the most likely cause?

Question 8mediummultiple choice
Study the full ACL explanation →

A network engineer is configuring 802.1X on a Cisco switch for a guest network. The engineer wants to allow guests to access the internet after authentication but restrict access to internal resources. The engineer configures the switch with 'authentication port-control auto' and a downloadable ACL (dACL) from the RADIUS server. After a guest authenticates, the engineer tests connectivity and finds that the guest can access internal servers. What is the most likely cause?

Question 9hardmultiple choice
Open the full VLAN trunking answer →

A network engineer is deploying 802.1X with Cisco ISE for a wired network. The engineer wants to use CoA (Change of Authorization) to dynamically change the VLAN of a user after authentication. The engineer configures the switch with 'aaa server radius dynamic-author' and the ISE with CoA settings. When the engineer tests CoA from ISE, the switch logs show 'CoA request received' but the VLAN does not change. What is the most likely cause?

Question 10mediummultiple choice
Read the full 802.1X and TrustSec explanation →

A network engineer runs the following command on switch SW1:

SW1# show authentication sessions interface GigabitEthernet1/0/1

Interface: GigabitEthernet1/0/1

MAC Address: 0011.2233.4455

IP Address: 192.168.1.100

Status: Authz Success Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Common Session ID: 0A1B2C3D4E5F6G7H8I9J Acct Session ID: 0x0000000A Handle: 0x00000001

Current Method List: mab Method: MAB State: Authz Success

Based on this output, what can be concluded?

Question 11mediummultiple choice
Read the full 802.1X and TrustSec explanation →

A network engineer runs the following command on switch SW2:

SW2# show cts role-based sgt-map

Active IPv4-SGT Mapping Table:

IP Address       SGT
192.168.1.10     10
192.168.1.20     20
192.168.1.30     30

Total number of entries: 3

Based on this output, what can be concluded?

Question 12mediummultiple choice
Read the full 802.1X and TrustSec explanation →

A network engineer runs the following command on switch SW3:

SW3# show cts role-based permissions

IPv4 Role-based permissions:

Source Group Dest Group Action 10 20 PERMIT 10 30 DENY 20 30 PERMIT

Based on this output, what can be concluded?

Question 13hardmultiple choice
Read the full 802.1X and TrustSec explanation →

A network engineer runs the following command on switch SW4:

SW4# show cts environment-data

CTS Environment Data:

Device ID: SW4.cisco.com Device Name: SW4 CTS Capabilities: SGT, SXP, CTSD, CTSA SGT: 100 SXP Node: Enabled SXP Connection: 10.1.1.1:64999

Based on this output, what can be concluded?

Question 14mediummultiple choice
Read the full 802.1X and TrustSec explanation →

A network engineer runs the following command on switch SW5:

SW5# show cts sxp connections

SXP Connections:

Peer IP Source IP Conn Status Duration

10.1.1.1        10.1.1.2        Up              2d3h
10.1.1.3        10.1.1.2        Down            0d0h

Based on this output, what can be concluded?

Question 15hardmultiple choice
Read the full 802.1X and TrustSec explanation →

A network engineer runs the following command on switch SW6:

SW6# show cts role-based counters

Role-based counters:

Source Group Dest Group Packets Sent Bytes Sent Packets Denied Bytes Denied 10 20 1500 120000 0 0 10 30 0 0 500 40000

Based on this output, what can be concluded?

Question 16mediummultiple choice
Read the full 802.1X and TrustSec explanation →

A network engineer runs the following command on switch SW7:

SW7# show authentication registrations

Authentication Method Registrations:

Method Priority Type dot1x 10 Interface mab 20 Interface webauth 30 Interface

Based on this output, what can be concluded?

Question 17hardmultiple choice
Read the full 802.1X and TrustSec explanation →

A network engineer runs the following command on switch SW8:

SW8# show cts role-based sgt-map 192.168.1.10

IP Address: 192.168.1.10

SGT: 10 Source: SXP

Based on this output, what can be concluded?

Question 18mediummultiple choice
Read the full 802.1X and TrustSec explanation →

A network engineer runs the following command on switch SW9:

SW9# show cts role-based policy

Role-based policy:

Source Group Dest Group Action 10 20 PERMIT 10 30 DENY 20 30 PERMIT

Based on this output, what can be concluded?

Question 19mediummultiple choice
Read the full 802.1X and TrustSec explanation →

Consider the following configuration on a Cisco IOS-XE switch:

interface GigabitEthernet1/0/1
 switchport mode access

authentication port-control auto dot1x pae authenticator dot1x timeout tx-period 5

spanning-tree portfast

What is the effect of this configuration?

Question 20mediummultiple choice
Read the full 802.1X and TrustSec explanation →

Examine the following configuration snippet:

interface GigabitEthernet1/0/2
 switchport mode access

authentication port-control auto mab dot1x pae authenticator dot1x timeout tx-period 10

Which statement about this configuration is true?

Question 21mediummultiple choice
Read the full 802.1X and TrustSec explanation →

Consider the following TrustSec configuration on a Cisco switch:

cts role-based enforcement

interface GigabitEthernet1/0/3

cts manual sap pmk 0123456789ABCDEF mode-list both

What is the purpose of this configuration?

Question 22mediummultiple choice
Study the full AAA explanation →

Examine the following configuration:

aaa new-model
aaa authentication dot1x default group radius

dot1x system-auth-control

interface GigabitEthernet1/0/4
 switchport mode access

authentication port-control auto dot1x pae authenticator dot1x timeout quiet-period 30

What is the effect of the 'dot1x timeout quiet-period 30' command?

Question 23mediummultiple choice
Read the full 802.1X and TrustSec explanation →

Consider this configuration for TrustSec on a Cisco switch:

cts role-based enforcement

interface GigabitEthernet1/0/5

cts manual sap pmk AABBCCDDEEFF00112233445566778899 mode-list both propagate sgt

What is the purpose of the 'propagate sgt' command under the interface?

Question 24mediummultiple choice
Read the full 802.1X and TrustSec explanation →

Examine the following configuration on a Cisco IOS-XE switch:

interface GigabitEthernet1/0/6
 switchport mode access

authentication port-control auto dot1x pae authenticator dot1x timeout tx-period 3 dot1x max-req 3 dot1x timeout supp-timeout 10

What is the total time the switch will wait for a supplicant to respond before failing authentication?

Question 25easymultiple choice
Read the full 802.1X and TrustSec explanation →

What is the default quiet-period timer value in Cisco IOS 802.1X configuration?

Question 26mediummultiple choice
Read the full 802.1X and TrustSec explanation →

In Cisco TrustSec, which component is responsible for assigning a Security Group Tag (SGT) to a user or device based on authentication?

Question 27easymultiple choice
Read the full 802.1X and TrustSec explanation →

What is the default tx-period timer value in Cisco IOS 802.1X configuration?

Question 28mediumdrag order
Read the full 802.1X and TrustSec explanation →

Drag and drop the steps of the 802.1X EAP-TLS authentication exchange into the correct order, from first to last.

Question 29mediumdrag order
Read the full 802.1X and TrustSec explanation →

Drag and drop the steps of TrustSec SGT classification and enforcement into the correct order, from first to last.

Question 30mediumdrag order
Read the full 802.1X and TrustSec explanation →

Drag and drop the steps of 802.1X port authentication with MAB fallback into the correct order, from first to last.

Question 31mediumdrag order
Read the full 802.1X and TrustSec explanation →

Drag and drop the steps of MAB (MAC Authentication Bypass) fallback flow into the correct order, from first to last.

Question 32mediumdrag order
Read the full 802.1X and TrustSec explanation →

Drag and drop the steps of TrustSec SGT assignment and propagation via SXP into the correct order, from first to last.

Question 33mediumdrag order
Read the full 802.1X and TrustSec explanation →

Drag and drop the steps of IBNS 2.0 concurrent authentication policy map into the correct order, from first to last.

Question 34mediumdrag order
Study the full ACL explanation →

Drag and drop the steps of ISE profiling-based dynamic ACL assignment into the correct order, from first to last.

Question 35mediumdrag order
Read the full 802.1X and TrustSec explanation →

Drag and drop the steps of Cisco TrustSec inline tagging across fabric into the correct order, from first to last.

Question 36mediumdrag order
Read the full 802.1X and TrustSec explanation →

Drag and drop the steps of MAB (MAC Authentication Bypass) fallback flow into the correct order, from first to last.

Question 37mediumdrag order
Read the full 802.1X and TrustSec explanation →

Drag and drop the steps of TrustSec SGT assignment and propagation via SXP into the correct order, from first to last.

Question 38mediumdrag order
Read the full 802.1X and TrustSec explanation →

Drag and drop the steps of IBNS 2.0 concurrent authentication policy map into the correct order, from first to last.

Question 39mediumdrag order
Study the full ACL explanation →

Drag and drop the steps of ISE profiling-based dynamic ACL assignment into the correct order, from first to last.

Question 40mediumdrag order
Read the full 802.1X and TrustSec explanation →

Drag and drop the steps of Cisco TrustSec inline tagging across fabric into the correct order, from first to last.

Question 41mediummatching
Read the full 802.1X and TrustSec explanation →

Drag and drop each 802.1X component on the left to its matching role on the right.

Question 42mediummatching
Read the full 802.1X and TrustSec explanation →

Drag and drop each EAP method on the left to its matching authentication type on the right.

Question 43mediummatching
Read the full 802.1X and TrustSec explanation →

Drag and drop each TrustSec component on the left to its matching function on the right.

Question 44mediummatching
Read the full 802.1X and TrustSec explanation →

Drag and drop each authentication mode on the left to its matching behavior on the right.

Question 45mediummatching
Read the full 802.1X and TrustSec explanation →

Drag and drop each ISE policy result on the left to its matching enforcement action on the right.

Question 46mediummatching
Read the full 802.1X and TrustSec explanation →

Drag and drop each 802.1X component on the left to its matching role on the right.

Question 47mediummatching
Read the full 802.1X and TrustSec explanation →

Drag and drop each EAP method on the left to its matching authentication type on the right.

Question 48hardmatching
Read the full 802.1X and TrustSec explanation →

Drag and drop each TrustSec component on the left to its matching function on the right.

Question 49mediummatching
Read the full 802.1X and TrustSec explanation →

Drag and drop each authentication mode on the left to its matching behavior on the right.

Question 50hardmatching
Read the full 802.1X and TrustSec explanation →

Drag and drop each ISE policy result on the left to its matching enforcement action on the right.

Question 51mediummulti select
Read the full 802.1X and TrustSec explanation →

Which two statements about Cisco TrustSec security group tags (SGTs) are true? (Choose two.)

Question 52hardmulti select
Read the full 802.1X and TrustSec explanation →

Which three statements about 802.1X port-based authentication are true? (Choose three.)

Question 53mediummulti select
Read the full 802.1X and TrustSec explanation →

Which two statements about 802.1X authentication with MAC Authentication Bypass (MAB) are true? (Choose two.)

Question 54hardmulti select
Study the full ACL explanation →

Which three statements about Cisco TrustSec security group access control lists (SGACLs) are true? (Choose three.)

Question 55mediummulti select
Read the full 802.1X and TrustSec explanation →

Which two statements about 802.1X authentication process are true? (Choose two.)

Question 56hardmulti select
Read the full 802.1X and TrustSec explanation →

Which three statements about Cisco TrustSec (CTS) are true? (Choose three.)

Question 57mediummulti select
Read the full 802.1X and TrustSec explanation →

Which two statements about 802.1X port states and access control are true? (Choose two.)

Question 58hardmulti select
Read the full 802.1X and TrustSec explanation →

Which three statements about Cisco TrustSec SGT propagation and enforcement are true? (Choose three.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

350-401 Practice Test 1 — 10 Questions→350-401 Practice Test 2 — 10 Questions→350-401 Practice Test 3 — 10 Questions→350-401 Practice Test 4 — 10 Questions→350-401 Practice Test 5 — 10 Questions→350-401 Practice Exam 1 — 20 Questions→350-401 Practice Exam 2 — 20 Questions→350-401 Practice Exam 3 — 20 Questions→350-401 Practice Exam 4 — 20 Questions→Free 350-401 Practice Test 1 — 30 Questions→Free 350-401 Practice Test 2 — 30 Questions→Free 350-401 Practice Test 3 — 30 Questions→350-401 Practice Questions 1 — 50 Questions→350-401 Practice Questions 2 — 50 Questions→350-401 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

ArchitectureEnterprise Network DesignSD-Access ArchitectureSD-WAN ArchitectureQoS ArchitectureVirtualizationNetwork Function VirtualizationVirtual Machines and HypervisorsVRF and Path IsolationInfrastructureOSPFBGPEIGRPVLANs and TrunkingSpanning Tree ProtocolEtherChannelWireless InfrastructureMPLSWAN TechnologiesNAT and DHCPIP MulticastQoSNetwork AssuranceSNMP and SyslogNetFlow and TelemetrySPAN and RSPANIP SLASecurityAAA, RADIUS, and TACACS+ACLs and CoPP802.1X and TrustSecVPN TechnologiesInfrastructure SecurityAutomationPython for Network AutomationAnsible AutomationREST APIs and Data ModelsCisco DNA CenterModel-Driven Telemetry

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All 802.1X and TrustSec setsAll 802.1X and TrustSec questions350-401 Practice Hub