20+ practice questions focused on 802.1X and TrustSec — one of the most tested topics on the ENCOR 350-401 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start 802.1X and TrustSec PracticeA network engineer is deploying 802.1X on a Cisco switch for a mixed environment of Windows laptops and IP phones. The engineer configures the switchport with 'authentication port-control auto' and 'dot1x pae authenticator'. After connecting a Windows laptop, the switch logs show 'Authentication failed' for the laptop. The engineer verifies that the RADIUS server is reachable and the laptop's supplicant is configured correctly. What is the most likely cause of the authentication failure?
Explanation: The scenario describes a common issue where 802.1X is configured but the switch is not sending EAP requests because it is waiting for a trigger. Without 'dot1x timeout tx-period', the switch sends EAP-Request/Identity only once every 30 seconds by default. The laptop's supplicant may not initiate the process if it doesn't receive a prompt. Option B is correct because the switch must be configured to send EAP requests to start the authentication. Option A is incorrect because 'aaa new-model' is required for AAA but not the direct cause of the failure. Option C is incorrect because the switchport mode is not specified; 'switchport mode access' is typical but not the issue. Option D is incorrect because the RADIUS server is reachable per the engineer's verification.
An enterprise is implementing Cisco TrustSec (CTS) to enforce role-based access control. The network engineer configures the switch with 'cts role-based enforcement' and 'cts manual' on an interface connecting to a trusted Cisco switch. The engineer also configures Security Group Tags (SGTs) on the RADIUS server. However, traffic between two hosts in different SGTs is not being filtered as expected. The engineer checks 'show cts role-based counters' and sees no drops. What is the most likely reason for the lack of enforcement?
Explanation: CTS role-based enforcement requires SGTs to be assigned to packets. If the switch does not have SGT information for the source or destination, it cannot enforce policies. Option C is correct because without SGTs, the switch treats traffic as untagged and does not apply SGACLs. Option A is incorrect because CTS does not require 802.1X; it can use manual or SXP. Option B is incorrect because 'cts manual' is a valid configuration for trusted interfaces. Option D is incorrect because 'show cts role-based counters' shows drops only if enforcement is active; no drops indicate no enforcement.
A network engineer is configuring 802.1X on a Cisco Catalyst 9300 switch for a wired network. The engineer wants to allow devices that do not support 802.1X (e.g., printers) to still access the network using MAB (MAC Authentication Bypass). The engineer configures the interface with 'authentication port-control auto', 'dot1x pae authenticator', and 'mab'. However, after connecting a printer, the switch logs show 'MAB failed' repeatedly. The printer's MAC address is in the RADIUS server database. What is the most likely cause?
Explanation: MAB requires the switch to send a MAC address as the username and password. If the RADIUS server does not accept the format, authentication fails. Option A is correct because the RADIUS server must be configured to accept MAC addresses in the format sent by the switch (e.g., 'aaaa.bbbb.cccc'). Option B is incorrect because MAB does not require EAP. Option C is incorrect because the switchport mode does not affect MAB. Option D is incorrect because the printer does not support 802.1X, so it cannot respond to EAP.
A network engineer is deploying Cisco TrustSec (CTS) with Security Group Access Control Lists (SGACLs) on a campus network. The engineer configures the switch with 'cts role-based enforcement' and assigns SGTs to users via 802.1X. The engineer tests connectivity between a user in SGT 10 and a server in SGT 20. The SGACL permits traffic from SGT 10 to SGT 20, but the user cannot reach the server. The engineer checks 'show cts role-based sgt map' and sees that the user's SGT is 0. What is the most likely cause?
Explanation: SGT 0 is the default untagged SGT. If the user's SGT is 0, it means the switch did not receive the SGT from the RADIUS server during 802.1X authentication. Option A is correct because the RADIUS server must send the SGT in the Access-Accept message. Option B is incorrect because SGACLs are applied per SGT, not per interface. Option C is incorrect because the switch is configured for enforcement. Option D is incorrect because SGT 0 is not a valid SGT for enforcement; the switch treats it as untagged.
An organization is implementing 802.1X for wireless users using Cisco ISE as the RADIUS server. The network engineer configures the wireless LAN controller (WLC) with 802.1X authentication. Users report that they can connect to the SSID but cannot access any network resources. The engineer checks the WLC and sees that users are authenticated and assigned to VLAN 100. The engineer also checks the switchport connecting the WLC and sees it is a trunk. What is the most likely issue?
Explanation: When using 802.1X with WLC, the WLC typically uses VLAN tagging. If the WLC is configured to tag traffic from the SSID with a specific VLAN, the switch trunk must allow that VLAN. Option B is correct because if VLAN 100 is not allowed on the trunk, traffic will be dropped. Option A is incorrect because the users are authenticated, so the RADIUS server is working. Option C is incorrect because the WLC does not need 802.1X on the uplink. Option D is incorrect because the WLC does not use MAB for wireless.
+15 more 802.1X and TrustSec questions available
Practice all 802.1X and TrustSec questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of 802.1X and TrustSec. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
802.1X and TrustSec questions on the 350-401 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. 802.1X and TrustSec is tested as part of the ENCOR 350-401 blueprint. Practicing with targeted 802.1X and TrustSec questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free 350-401 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but 802.1X and TrustSec is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full 802.1X and TrustSec practice session with instant scoring and detailed explanations.
Start 802.1X and TrustSec Practice →