CCNA Aaa Questions

28 questions · Aaa topic · All types, answers revealed

1
MCQhard

A switchport is configured for 802.1X authentication. What is the usual role of the RADIUS server in that design?

A.It provides Layer 2 trunk negotiation for the supplicant.
B.It validates authentication credentials for the supplicant.
C.It replaces the need for DHCP on the access layer.
D.It generates ARP replies on behalf of the default gateway.
AnswerB

Correct. The RADIUS server performs centralized AAA decisions.

Why this answer

The switch acts as the authenticator and forwards authentication requests to the RADIUS server, which validates the user or device credentials.

Exam trap

A common exam trap is assuming the RADIUS server handles functions beyond authentication, such as DHCP IP address assignment or ARP gateway replies. Candidates might mistakenly believe that RADIUS negotiates switchport trunking or manages Layer 2 connectivity, which it does not. This confusion often arises because RADIUS is involved in network access control but does not replace other network services.

Misunderstanding these roles can lead to selecting incorrect options that describe unrelated network functions, causing errors in the exam.

Why the other options are wrong

A

Option A is incorrect because the RADIUS server does not handle Layer 2 trunk negotiation. Trunking is managed by protocols such as DTP or manual switchport configuration, not by the authentication server.

C

Option C is incorrect because DHCP is responsible for IP address assignment, not the RADIUS server. RADIUS focuses solely on authentication, authorization, and accounting functions.

D

Option D is incorrect because the RADIUS server does not generate ARP replies or perform any gateway functions. These tasks are handled by routers or Layer 3 devices in the network.

2
PBQhard

You are connected to R1. Configure AAA with RADIUS authentication so that SSH users are authenticated first against the RADIUS server (198.51.100.10) and fall back to the local user database if the server is unreachable. Additionally, troubleshoot why an 802.1X-enabled interface (GigabitEthernet0/1) remains in the unauthorized state. The RADIUS server shares a key of 'cisco123' and uses UDP port 1812. The local user 'admin' with secret 'adminpass' must be available as a fallback.

Hints

  • The dot1x authentication list is missing a fallback method.
  • Use the 'aaa authentication dot1x default' command to add 'local' after 'group radius'.
  • After fixing, the port may need to re-authenticate; you can test by shutting/no shutting the interface.
A.[CORRECT] The RADIUS server is unreachable, but the 802.1X port remains unauthorized because the AAA authentication list for dot1x is configured to use only RADIUS without local fallback. The fix is to modify the dot1x authentication list to include 'local' as a fallback method.
B.The RADIUS server is unreachable because the shared key 'cisco123' is incorrect, causing the port to stay unauthorized.
C.The 802.1X port remains unauthorized because the RADIUS server uses UDP port 1812, but the switch expects port 1645.
D.The SSH authentication fails because the local user 'admin' is not configured with the correct privilege level, so fallback does not work.
AnswerA
solution
! R1
configure terminal
aaa authentication dot1x default group radius local
end
write memory

Why this answer

The RADIUS server is unreachable (not reachable), but the 802.1X port remains unauthorized because the AAA authentication list for dot1x is configured to use only RADIUS without local fallback. When the server cannot be reached (e.g., timeout), no fallback exists, so the port stays unauthorized. The fix is to modify the dot1x authentication list to include 'local' as a fallback method.

Adding local fallback allows the switch to authenticate the supplicant using the local database when the RADIUS server is unreachable.

Exam trap

Do not confuse authentication list configuration for different services (login vs dot1x). SSH uses 'login' list, while 802.1X uses 'dot1x' list. Also, ensure fallback methods are included for network access authentication to avoid permanent unauthorized state.

Why the other options are wrong

B

The specific factual error: The shared key is used for encrypting RADIUS traffic, but server reachability is confirmed; the key mismatch would cause authentication failures, not port unauthorized state due to missing fallback.

C

The specific factual error: The question states the server uses UDP port 1812, which is correct. The switch would need explicit configuration to use 1645; default is 1812.

D

The specific factual error: Privilege level is not required for authentication; it affects authorization. The local user exists and can authenticate, so SSH fallback is fine.

3
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and 802.1X port authentication on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order for AAA with RADIUS and 802.1X is: global config, enable AAA, configure RADIUS server, define authentication method list, then enable 802.1X on the interface.

Exam trap

Candidates often confuse the order of AAA configuration steps, especially whether to configure the RADIUS server before or after defining the method list. Remember: AAA must be enabled first, then the server, then the method list, then interface configuration.

4
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on an IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter global config, then define RADIUS server, then configure AAA authentication, then enable 802.1X globally, then apply per-interface 802.1X settings.

Exam trap

The exam trap is that candidates often confuse the dependency order: AAA authentication must reference an already-defined RADIUS server, and 802.1X globally requires AAA to be configured first. Always think about what each step depends on.

5
PBQhard

You are connected to R1. Configure AAA with RADIUS server at 192.0.2.10 (key = Cisco123) so that console login uses local authentication as fallback. Then troubleshoot why a host connected to R1's GigabitEthernet0/1 (802.1X enabled) remains in unauthorized state. The RADIUS server is reachable. Fix the issue so the port authorizes successfully.

Hints

  • The RADIUS server is configured, but the AAA group 'radius' is not defined.
  • Check the 'aaa authentication login default' command — it references a group that doesn't exist.
  • Use 'aaa group server radius' to create a group and associate the RADIUS server.
A.The RADIUS server is not defined in a AAA group; create 'aaa group server radius RAD_GROUP' and 'server name RADIUS_SERVER', then update the login default to reference the group.
B.The RADIUS server key is incorrect; change the key to match the server's configuration.
C.The 802.1X port is not enabled; enable 'dot1x port-control auto' on GigabitEthernet0/1.
D.The RADIUS server is not reachable; check IP connectivity and firewall rules.
AnswerA
solution
! R1
configure terminal
aaa group server radius RAD_GROUP
server name RADIUS_SERVER
exit
aaa authentication login default group RAD_GROUP local
end

Why this answer

The RADIUS server is reachable but not properly referenced in a AAA group. The 'aaa authentication login default group radius local' command uses the default group 'radius', which must be explicitly defined with 'aaa group server radius' and associated with the RADIUS server. Without this group, the router cannot send authentication requests to the server, keeping the port unauthorized.

The fix is to create a AAA group for RADIUS, add the server to it, and update the login default to reference that group.

Exam trap

Trap: Candidates assume that 'group radius' in the authentication command automatically works without defining the group. Remember that 'radius' is a default group name that must be explicitly created with the 'aaa group server radius' command. Also, do not confuse reachability with configuration; the server may be reachable but not properly referenced.

Why the other options are wrong

B

The specific factual error: The key is already correct as per the scenario; the problem is the missing AAA group definition.

C

The specific factual error: The port already has 802.1X enabled, so re-enabling it does not fix the authentication failure.

D

The specific factual error: The server is reachable, so connectivity is not the problem.

6
Drag & Drophard

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and 802.1X port authentication on an IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First configure the RADIUS server, then enable AAA, create an authentication list for 802.1X, and finally apply 802.1X to the port.

Exam trap

Do not confuse the order of enabling AAA and creating authentication lists. AAA must be enabled globally before you can create authentication lists. Also, remember that the RADIUS server configuration comes first, as AAA needs to know which server to use.

7
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter global config and enable AAA. Then define the RADIUS server, configure AAA authentication to use RADIUS for 802.1X, and finally enable 802.1X on the interface.

Exam trap

The key trap is the order of operations: AAA must be enabled first, then the RADIUS server defined, then authentication configured, and finally applied to the interface. Many candidates mistakenly configure the interface first or define the server after authentication.

8
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and 802.1X port authentication on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Start by entering global configuration mode and enabling AAA with 'aaa new-model' to allow AAA commands. Then, configure the RADIUS server parameters using 'radius-server host' and 'radius-server key' so the switch knows where to send authentication requests. Next, create an authentication method list with 'aaa authentication dot1x default group radius' to define the authentication method.

After the method list, the global command 'dot1x system-auth-control' must be issued to enable 802.1X globally; without it, the interface-level commands will not function. Finally, apply 802.1X port authentication on the interface using 'authentication port-control auto'. This order ensures each prerequisite is met before the next step.

Exam trap

A common mistake is omitting the global 'dot1x system-auth-control' command, which is required to enable 802.1X system-wide before configuring interface-level authentication.

9
MCQhard

An engineer is allowed to log in to a router but cannot enter configuration mode. Which AAA function most directly explains that outcome?

A.Authorization
B.Authentication
C.Accounting
D.DNS
AnswerA

This is correct because authorization determines what the authenticated user is permitted to do.

Why this answer

Authorization most directly explains the outcome. In practical terms, the user has already passed authentication because login succeeded, but the permissions assigned to that identity do not allow configuration-level actions. This is exactly the sort of role separation authorization is meant to enforce.

This is a good example of why authentication and authorization are not the same thing.

Exam trap

A common exam trap is assuming that authentication alone controls all user permissions after login. Candidates often confuse authentication with authorization, thinking that successful login means full access. However, authentication only verifies identity, while authorization determines what commands or modes the user can access.

This confusion leads to incorrect answers, especially when a user can log in but cannot enter configuration mode. Remember, authorization is the AAA function that restricts user capabilities after authentication succeeds.

Why the other options are wrong

B

Authentication is incorrect because it only verifies the user's identity to allow login; it does not control what commands or modes the user can access after login.

C

Accounting is incorrect because it only records user activity and command usage for auditing purposes and does not influence login permissions or command access.

D

DNS is incorrect because it is related to name resolution and does not control user authentication, authorization, or command permissions on network devices.

10
Drag & Dropmedium

Drag and drop the following IOS-XE CLI commands into the correct order to configure AAA with a RADIUS server and then enable 802.1X port authentication on an interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

AAA configuration must precede 802.1X. The order is global AAA setup, then global 802.1X enablement, followed by per-interface authentication configuration.

Exam trap

Do not confuse the order of global AAA enablement and RADIUS server definition. AAA must be enabled first. Also, remember that global 802.1X enablement comes before interface-specific commands.

11
Matchingmedium

Drag and drop the AAA and 802.1X terms on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses UDP; encrypts only the password in the packet

Uses TCP; encrypts the entire packet

Port-based authentication using EAPoL frames

RADIUS server that validates credentials in 802.1X

Global command to enable AAA on IOS-XE

Why these pairings

AAA components: authentication verifies identity, authorization grants rights, accounting logs activities. 802.1X roles: supplicant is the client, authenticator is the switch/AP, and authentication server (RADIUS) validates and authorizes.

Exam trap

Candidates often confuse the roles in 802.1X or mix up AAA components. Remember that authentication is about identity verification, authorization is about permissions, and accounting is about logging. In 802.1X, the supplicant is the client, the authenticator is the network device, and the authentication server validates credentials.

12
MCQmedium

A network engineer successfully logs in to a router, but cannot enter configuration mode because the command is rejected by policy. Which AAA function is controlling this behavior?

A.Authentication
B.Authorization
C.Accounting
D.Encryption
AnswerB

Correct. Authorization controls what actions the user may perform.

Why this answer

Authentication confirms identity. Authorization determines which commands, privilege levels, or resources that authenticated user is permitted to access.

Exam trap

A common exam trap is confusing authentication with authorization. Candidates often think that if a user cannot enter configuration mode, it means the login failed, which is incorrect. Authentication only confirms the user's identity during login.

Once authenticated, authorization controls what commands or modes the user can access. Misunderstanding this distinction leads to incorrect answers. The question states the user successfully logged in, so the failure to enter configuration mode is due to authorization restrictions, not authentication failure.

Why the other options are wrong

A

Authentication is the process of verifying a user's identity during login. Since the engineer successfully logged in, authentication has already succeeded and is not preventing command execution.

C

Accounting records user activities and commands for auditing purposes but does not grant or deny access to commands or configuration modes, so it cannot be the cause of the command rejection.

D

Encryption protects data confidentiality during transmission but does not control user access or command permissions, so it is unrelated to the inability to enter configuration mode.

13
PBQhard

You are connected to R1. Configure AAA with RADIUS authentication for all login methods. The RADIUS server is at 203.0.113.10 with key 'CiscoKey123'. Then troubleshoot why the 802.1X port on interface GigabitEthernet0/1 remains in unauthorized state. The port is configured for dot1x port-control auto, but authentication fails. Ensure that the AAA authentication default method uses RADIUS first, then local fallback, and that the RADIUS server is correctly reachable and configured for authentication.

Network Topology
G0/0192.0.2.1/30203.0.113.10linkR1RADIUS Server

Hints

  • The RADIUS server configuration is missing entirely.
  • AAA authentication method list must be defined to use RADIUS first.
  • Check that the RADIUS server is reachable via ping 203.0.113.10.
A.Configure RADIUS server with IP 203.0.113.10 and key 'CiscoKey123', then configure AAA authentication login default group radius local.
B.Change the interface port-control to 'force-authorized' to bypass authentication and bring the port up.
C.Configure AAA authentication login default local radius to use local authentication first, then RADIUS.
D.Add the command 'aaa new-model' and configure the RADIUS server with IP 203.0.113.10 and key 'CiscoKey123'.
AnswerA
solution
! R1
radius server RADIUS-SERVER
address ipv4 203.0.113.10 auth-port 1812 acct-port 1813
key CiscoKey123
exit
aaa authentication login default group radius local

Why this answer

The issue is twofold: First, AAA is not fully configured — 'aaa new-model' is present but no RADIUS server or authentication method list is defined. Second, the RADIUS server configuration is missing. To fix, configure the RADIUS server with IP and key using the 'radius server' block, then create an AAA authentication login default list that uses RADIUS first then local fallback (e.g., 'aaa authentication login default group radius local').

The port configuration is correct for 802.1X, but without AAA and RADIUS, authentication cannot proceed; the switch will not contact the RADIUS server, causing the port to remain unauthorized. Option D is incorrect because while 'aaa new-model' and RADIUS server configuration are necessary steps, they alone do not create an authentication method list; without 'aaa authentication login default group radius local', the RADIUS server is never referenced for login authentication.

Exam trap

Trap: Candidates often forget that configuring a RADIUS server alone is not enough; you must also create an AAA authentication method list that references RADIUS. Additionally, the order of methods in the list matters: 'radius local' means RADIUS first, local fallback; 'local radius' means local first, which would not meet the requirement.

Why the other options are wrong

D

Configuring 'aaa new-model' and a RADIUS server alone does not create an authentication method list; the AAA authentication default must explicitly reference the RADIUS server group.

14
Multi-Selectmedium

Which THREE statements correctly describe the configuration of AAA with RADIUS or TACACS+ on Cisco IOS-XE?

Select 3 answers
A.RADIUS encrypts the entire packet payload, including all attributes.
B.TACACS+ encrypts the entire body of the packet but leaves the standard TCP header unencrypted.
C.TACACS+ uses UDP as its transport protocol, while RADIUS uses TCP.
D.TACACS+ separates authentication, authorization, and accounting into three distinct functions, allowing independent server configuration for each.
E.RADIUS combines authentication and authorization into a single process, meaning an access-accept packet includes both authentication success and authorization attributes.
F.When configuring 802.1X on IOS-XE, the switch acts as the authentication server and validates client credentials locally.
AnswersB, D, E

TACACS+ encrypts the entire payload (body) of the packet, ensuring confidentiality of all attributes, while the TCP header remains unencrypted for routing purposes.

Why this answer

Option B is correct: TACACS+ encrypts the entire body of the packet (including all attributes) but leaves the TCP header unencrypted. Option D is correct: TACACS+ separates authentication, authorization, and accounting into three distinct functions, allowing independent server configuration for each. Option E is correct: RADIUS combines authentication and authorization into a single process, so an access-accept packet includes both authentication success and authorization attributes.

Option A is wrong: RADIUS only encrypts the password in the Access-Request packet, not the entire payload. Option C is wrong: TACACS+ uses TCP (port 49), while RADIUS uses UDP (ports 1812/1645 for authentication, 1813/1646 for accounting). Option F is wrong: In 802.1X on IOS-XE, the switch acts as an authenticator (not the authentication server) and forwards credentials to an external RADIUS server.

Exam trap

Cisco often tests the confusion between RADIUS and TACACS+ encryption scope and transport protocols, where candidates mistakenly think RADIUS encrypts the entire payload or that TACACS+ uses UDP, when in fact RADIUS only encrypts the password and uses UDP, while TACACS+ encrypts the full body and uses TCP.

Why the other options are wrong

A

RADIUS only encrypts the password attribute in the access-request packet; the rest of the packet, including other attributes like username and authorization data, is sent in clear text. This is a key security limitation of RADIUS compared to TACACS+.

C

TACACS+ uses TCP (port 49) as its transport protocol, while RADIUS uses UDP (ports 1812/1813). This is a fundamental difference: TCP provides reliable, connection-oriented delivery, whereas UDP is connectionless and faster but less reliable.

F

In 802.1X, the switch acts as an authenticator (passing EAP messages between the client and the authentication server), not as the authentication server itself. The authentication server is typically a RADIUS server that validates client credentials.

15
Matchingmedium

Match each AAA component or related term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verification of identity

Determination of allowed actions

Recording of activity or usage details

Credential store on the device used for local checks

Why these pairings

In AAA, Authentication verifies identity (who you are), Authorization determines allowed actions (what you can do), Accounting records activity for auditing. A local database stores credentials on the device for local authentication checks. These definitions directly match the pairs in the question.

Exam trap

Learners often confuse the roles of Authentication (identity), Authorization (permissions), and Accounting (logging), or mix them with AAA protocols like RADIUS or TACACS+.

16
MCQhard

After hardening SSH by disabling password authentication and restricting access to an ACL permitting only the management subnet 10.1.10.0/24, configuring RADIUS AAA authentication, enabling port security with a maximum of two MAC addresses on all access ports, and implementing DHCP snooping and DAI on VLAN 10, the administrator finds that users in VLAN 10 obtain DHCP addresses and access the network normally, but SSH from the management workstation (10.1.10.20) to the switch fails with timeouts.

A.The SSH ACL is misconfigured and denies port 22 from the management subnet.
B.The management workstation’s IP-to-MAC binding is missing from the DHCP snooping binding table, causing DAI to drop its ARP traffic.
C.Port security on the switch interface connected to the management workstation has learned two MAC addresses and shut down the port.
D.RADIUS AAA authentication is missing the shared secret on the switch, causing SSH login timeouts.
AnswerB

DAI relies on DHCP snooping bindings to validate ARP packets. The static IP of the workstation means no binding was learned, so DAI considers the ARP reply invalid and drops it, breaking L2 reachability.

Why this answer

The management workstation (10.1.10.20) is on the same VLAN 10 where DHCP snooping and DAI are enabled. DAI validates ARP packets against the DHCP snooping binding table. Since the workstation uses a static IP address, its IP-to-MAC binding is not automatically added to the DHCP snooping database.

DAI will drop the workstation's ARP replies, preventing the switch from learning its MAC address and causing SSH timeouts.

Exam trap

Cisco often tests the interaction between security features like DAI and static IP hosts, where candidates overlook that DAI requires explicit static bindings for non-DHCP clients, leading to connectivity failures that appear as timeouts rather than explicit denials.

Why the other options are wrong

A

Misunderstanding ACL processing—assumes a simple subnet permit ACL would block port 22 by default, but the ACL entry permits all traffic from the subnet, not just specific ports.

C

Assumes port security is the first cause of connectivity failure when MAC limits are configured, but the symptom does not indicate a port security violation; the port would need to go into err-disabled, which is not mentioned.

D

AAA failures manifest as authentication errors or prompts that time out after attempting RADIUS, but they typically affect all attempts, not a single source, unless combined with ACLs that permit other hosts but block this one.

17
Multi-Selectmedium

Which TWO statements correctly describe the differences between RADIUS and TACACS+ when configuring AAA on IOS-XE?

Select 2 answers
A.RADIUS encrypts the entire packet body, while TACACS+ encrypts only the password.
B.TACACS+ uses TCP port 49, while RADIUS uses UDP ports 1812 and 1813.
C.RADIUS supports command-level authorization, whereas TACACS+ does not.
D.TACACS+ separates authentication, authorization, and accounting into distinct processes, while RADIUS combines authentication and authorization.
E.Both RADIUS and TACACS+ can be used for 802.1X port-based authentication on IOS-XE.
AnswersB, D

TACACS+ uses TCP for reliable transport on port 49, while RADIUS uses UDP (port 1812 for authentication/authorization, 1813 for accounting).

Why this answer

Options B and D are correct. TACACS+ uses TCP port 49, while RADIUS uses UDP ports 1812 (authentication) and 1813 (accounting). TACACS+ separates authentication, authorization, and accounting into three distinct processes, whereas RADIUS combines authentication and authorization.

Option A is incorrect because TACACS+ encrypts the entire packet body, while RADIUS encrypts only the password. Option C is incorrect because TACACS+ supports command-level authorization, while RADIUS does not. Option E is incorrect because 802.1X port-based authentication uses RADIUS, not TACACS+.

Exam trap

Cisco often tests the encryption behavior (Option A) as a trap, because candidates confuse which protocol encrypts the entire packet versus just the password, and they also test the authorization granularity (Option C) to see if you know that TACACS+ supports command-level authorization while RADIUS does not.

Why the other options are wrong

A

TACACS+ encrypts the entire packet, while RADIUS encrypts only the password – the opposite of what this option states.

C

TACACS+ supports command-level authorization, whereas RADIUS does not – this option reverses the capabilities.

E

802.1X port-based authentication uses RADIUS, not TACACS+, as specified by the IEEE 802.1X standard.

18
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order begins by entering global configuration mode, then configuring the RADIUS server host and key before enabling AAA globally. Although AAA can be enabled without a RADIUS server, Cisco recommends defining the server before creating the authentication method list that references it to avoid configuration errors. After enabling AAA, define the authentication method list for 802.1X, then enter interface configuration mode, enable 802.1X port authentication, apply the method list to the interface, and finally verify the configuration.

Exam trap

A common mistake is defining the authentication method list before configuring the RADIUS server, which causes a reference error; the server must be defined before the method list that uses it, even though AAA itself can be enabled earlier.

19
PBQhard

You are connected to R1. Configure AAA with a RADIUS server at 10.0.0.2 using key 'cisco123' for authentication. Then troubleshoot why 802.1X on interface GigabitEthernet0/1 remains in unauthorized state. Ensure that the default login authentication uses RADIUS first, then local fallback, and fix any configuration issues that prevent 802.1X from working.

Network Topology
G0/010.0.0.1/3010.0.0.2/30linkG0/1linkR1RADIUS ServerClient PC

Hints

  • Check the AAA authentication method for dot1x — it currently uses 'local' but no local users exist.
  • The default login authentication also uses 'local' — you need to add RADIUS as primary method.
  • Ensure the RADIUS server's IP and key are correct — but the issue is the authentication method list, not connectivity.
A.Configure 'aaa authentication dot1x default group radius' and 'aaa authentication login default group radius local' and ensure the RADIUS server is reachable with the correct key.
B.Configure 'aaa authentication dot1x default local' and 'aaa authentication login default local' and create a local user with the same credentials as the RADIUS server.
C.Configure 'aaa authentication dot1x default group radius' and 'aaa authentication login default local' and ensure the RADIUS server key is 'cisco123'.
D.Configure 'aaa authentication dot1x default group radius' and 'aaa authentication login default group radius local' and change the RADIUS server key to 'cisco'.
AnswerA
solution
! R1
configure terminal
aaa authentication login default group radius local
aaa authentication dot1x default group radius
end
write memory

Why this answer

The 802.1X port is stuck in UNAUTHORIZED because AAA authentication for dot1x is set to 'local' but there is no local user database configured. Additionally, the RADIUS server is configured but not used for dot1x or login. The fix is to change 'aaa authentication dot1x default' to use group radius, and 'aaa authentication login default' to group radius local for fallback.

Also ensure the RADIUS server is reachable and the key matches the server.

Exam trap

Candidates often forget that 802.1X requires a RADIUS server for authentication, not local, and that the login authentication method list must also be configured correctly. They may also overlook the need for the RADIUS key to match exactly.

Why the other options are wrong

B

The specific factual error is that 802.1X should use RADIUS for authentication, not local, and the login default should have RADIUS as the primary method.

C

The specific factual error is that the login default should be 'group radius local' to meet the requirement of RADIUS first then local fallback.

D

The specific factual error is that the key must match exactly; changing it to 'cisco' would break communication with the RADIUS server.

20
Multi-Selecthard

Which two statements about AAA on Cisco devices are correct? Choose two.

Select 2 answers
A.Authentication verifies identity
B.Authorization determines what an authenticated user is allowed to do
C.Accounting replaces the need for local usernames entirely
D.AAA can only be used with RADIUS and not TACACS+
AnswersA, B

Authentication answers who the user is.

Why this answer

AAA breaks access control into authentication, authorization, and accounting. TACACS+ is commonly preferred for device administration because it separates all three functions and encrypts the full payload.

Exam trap

A common exam trap is assuming that accounting replaces the need for local usernames or authentication sources. Accounting only logs user activities and does not authenticate or authorize users. Another frequent mistake is believing AAA supports only RADIUS and not TACACS+.

Cisco AAA supports both protocols, with TACACS+ often preferred for device administration due to its full payload encryption and separation of AAA functions. Misunderstanding these roles can lead to incorrect answer choices and confusion during the exam.

Why the other options are wrong

C

Option C is incorrect because accounting only logs user activities and does not replace the need for local usernames or authentication sources on Cisco devices.

D

Option D is incorrect as AAA supports both RADIUS and TACACS+ protocols; it is not limited to RADIUS, and TACACS+ is commonly used for device administration.

21
PBQhard

You are connected to R1, a router acting as a network access server for 802.1X authentication on interface GigabitEthernet0/1. Configure AAA with a RADIUS server at 192.0.2.10 (key 'cisco123') so that the default login authentication uses RADIUS first, then local fallback. Additionally, troubleshoot why a connected supplicant on G0/1 remains in the unauthorized state even though RADIUS is reachable and the supplicant credentials are correct.

Hints

  • Check if AAA is enabled globally.
  • The RADIUS server configuration must include the correct IP address and shared secret.
  • The default authentication list must specify RADIUS first, then local fallback.
A.Enable AAA with 'aaa new-model', configure RADIUS server 'RADIUS_SERVER' with key 'cisco123', and apply 'aaa authentication login default group radius local'.
B.Configure 'aaa authentication login default local' and add the RADIUS server with 'radius-server host 192.0.2.10 key cisco123'.
C.Enable AAA with 'aaa new-model' and configure 'aaa authentication login default group radius' without local fallback.
D.Configure 'aaa new-model', then apply 'dot1x system-auth-control' and 'aaa authentication dot1x default group radius'.
AnswerA
solution
! R1
configure terminal
aaa new-model
radius server RADIUS_SERVER
address ipv4 192.0.2.10 auth-port 1812 acct-port 1813
key cisco123
aaa authentication login default group radius local
end
write memory

Why this answer

The problem is that AAA is not enabled (no aaa new-model) and no RADIUS server is configured; thus the 802.1X authentication fails because the router does not know how to communicate with the RADIUS server. The fix requires enabling AAA with 'aaa new-model', configuring the RADIUS server with 'radius server RADIUS_SERVER' and its key, then applying a default authentication list that uses RADIUS with local fallback via 'aaa authentication login default group radius local'. After these commands, the port should transition to authorized state for valid credentials.

Exam trap

The exam trap is confusing the different AAA authentication types: 'login' for management access (console, SSH, etc.) versus 'dot1x' for port-based network access control. Also, ensure that the RADIUS server is referenced in the authentication list; simply configuring the server does not make it active.

Why the other options are wrong

B

The specific factual error is that the authentication list must include 'group radius' to use RADIUS; 'local' alone bypasses RADIUS.

C

The specific factual error is omitting 'local' from the authentication list, which violates the requirement for fallback.

D

The specific factual error is confusing 'aaa authentication login' with 'aaa authentication dot1x'. They serve different purposes.

22
Multi-Selectmedium

Which TWO statements correctly describe the configuration and verification of AAA with RADIUS/TACACS+ and 802.1X port-based authentication on IOS-XE?

Select 2 answers
A.The switch port must be configured as an access port and the command 'authentication port-control auto' must be applied.
B.AAA authentication for 802.1X must be configured using TACACS+ as the protocol of choice.
C.The global command 'aaa new-model' is sufficient to enable 802.1X on all interfaces.
D.RADIUS is the recommended protocol for 802.1X authentication because it supports EAP and is widely used in network access control.
E.802.1X can be configured on a trunk port to authenticate multiple VLANs simultaneously.
AnswersA, D

This is correct because 802.1X requires the port to be an access port and the 'auto' setting places the port in the unauthorized state initially, triggering the authentication process.

Why this answer

Option A is correct because 802.1X requires the switch port to be an access port (not trunk or dynamic) and the 'authentication port-control auto' command enables EAPoL-based authentication. Option D is correct because RADIUS is the recommended protocol for 802.1X; it natively supports EAP extensions and is widely used for network access control, whereas TACACS+ does not support EAP and is more suited for device administration. Option B is false because AAA authentication for 802.1X should use RADIUS, not TACACS+.

Option C is false because 'aaa new-model' only activates the AAA framework; 802.1X requires additional global commands like 'dot1x system-auth-control' and per-interface configuration. Option E is false because 802.1X is typically configured on access ports and cannot be used on trunk ports to authenticate multiple VLANs; the port must be in access mode.

Exam trap

Cisco often tests the misconception that 'aaa new-model' alone enables all AAA features, including 802.1X, when in fact it only activates the AAA framework and separate interface-level commands are required.

Why the other options are wrong

B

TACACS+ encrypts only the password and is designed for device administration, not for 802.1X authentication which requires EAP support—RADIUS is the correct choice.

C

The global command 'aaa new-model' enables the AAA architecture but does not automatically enable 802.1X on interfaces; additional commands like 'dot1x system-auth-control' and per-interface 'authentication port-control auto' are needed.

E

802.1X requires the switch port to be in access mode, not trunk mode; trunk ports do not support 802.1X because multiple VLANs would conflict with the authentication process.

23
MCQhard

A network administrator has configured 802.1X port-based authentication on a Cisco IOS-XE switch port connected to a single PC. The port is in the 'authorized' state, but the PC cannot reach any network resources beyond its directly connected switch. The switch is configured to use RADIUS for authentication. What is the most likely cause of this issue?

A.The switchport is in access mode and not trunking, so the PC cannot reach other VLANs.
B.The RADIUS server is not returning a VLAN assignment, so the port remains in the default VLAN, but the PC needs to be in a different VLAN to reach resources.
C.The switch is not configured with 'aaa new-model' and therefore AAA is not enabled.
D.The PC is not configured for 802.1X supplicant, so it cannot authenticate properly.
AnswerB

The 'show authentication sessions' output does not show a VLAN assigned, meaning the RADIUS server did not include the VLAN attribute. The switch uses the configured access VLAN (10) by default. If the PC needs to be in a different VLAN to reach resources, this is the root cause.

Why this answer

The RADIUS server can return a VLAN assignment as part of the Access-Accept message (via RADIUS attribute 64 or 81). If the server does not send a VLAN, the port remains in the configured access VLAN (often VLAN 1). If the PC needs to be in a different VLAN to reach network resources, it will be isolated even though 802.1X authentication succeeded and the port is authorized.

Exam trap

Cisco often tests the distinction between authentication success and post-authentication authorization, tricking candidates into thinking that a successful 802.1X authentication automatically grants full network access, when in fact the RADIUS server must also return the correct VLAN assignment.

Why the other options are wrong

A

Access mode is correct for a single PC; trunking is not needed for basic connectivity.

C

AAA is functioning, as evidenced by successful authentication.

D

The port status is 'Authorized', indicating successful authentication.

24
Multi-Selectmedium

Which three of the following are security best practices for implementing AAA on a Cisco router? (Choose three.)

Select 3 answers
.Use a local username database as a fallback method if the AAA server is unreachable.
.Enable AAA new-model before configuring any AAA methods.
.Configure TACACS+ for detailed command authorization and accounting.
.Set the authentication login method to 'none' for console access.
.Use RADIUS for command-level authorization.
.Disable the enable secret password when using AAA servers.

Why this answer

Using a local username database as a fallback method ensures that if the AAA server becomes unreachable, administrators can still authenticate via the router's local accounts. This is a standard best practice to prevent lockout. Enabling 'aaa new-model' is mandatory before any AAA configuration, as it activates the AAA subsystem on the router.

TACACS+ is the preferred protocol for command authorization and accounting because it encrypts the entire packet and supports per-command authorization, unlike RADIUS which only encrypts the password.

Exam trap

Cisco often tests the misconception that RADIUS can be used for command authorization, but the trap is that RADIUS only supports authentication and accounting for network access, not the granular command-level control that TACACS+ provides.

25
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter global config, then define the RADIUS server, then configure AAA authentication, then enable 802.1X globally, and finally apply per-interface 802.1X settings.

Exam trap

Do not confuse the order: the RADIUS server must be defined before AAA authentication, and AAA must be configured before enabling 802.1X globally. A common trap is to enable 802.1X too early.

26
Matchingmedium

Drag and drop the AAA terms on the left to their correct definitions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verifies the identity of a user or device before granting access.

Determines what resources or services a user is allowed to access.

Tracks and logs user activities, such as login time and commands executed.

A Cisco proprietary protocol that separates authentication, authorization, and accounting.

An open standard protocol that combines authentication and authorization in one packet.

Why these pairings

AAA components: Authentication verifies identity, Authorization controls access, Accounting logs activities. RADIUS is an open standard that combines authentication and authorization, while TACACS+ is a Cisco proprietary protocol that separates all three functions.

Exam trap

Do not confuse the AAA components with the protocols used to implement them. The question asks for the definition of Authentication, not for a protocol like RADIUS or TACACS+. Also, ensure you distinguish between Authentication (identity) and Authorization (permissions).

27
PBQhard

You are connected to R1. Configure AAA with a RADIUS server at 10.0.0.2/30 (key 'cisco123') so that console and VTY login use RADIUS first, then local authentication. Additionally, troubleshoot why an 802.1X-enabled switch port (GigabitEthernet0/1) on R1 is stuck in the unauthorized state. The RADIUS server is reachable but authentication fails. Verify using 'show aaa servers' and 'show dot1x interface GigabitEthernet0/1 details'.

Network Topology
G0/010.0.0.1/3010.0.0.2/30linkR1RADIUS Server

Hints

  • Check the RADIUS server's shared key configuration.
  • The key 'cisco123' might be incorrect; verify with the server administrator.
  • Use 'debug radius authentication' to see authentication failures.
A.Configure 'aaa authentication login default group RADIUS local' and correct the RADIUS server key to match the actual server key.
B.Configure 'aaa authentication login default group radius local' and verify the RADIUS server IP address is correct.
C.Configure 'aaa authentication login default group radius local' and enable 802.1X globally with 'dot1x system-auth-control'.
D.Configure 'aaa authentication login default local' and remove the RADIUS server configuration.
AnswerA
solution
! R1
configure terminal
radius server RADIUS
key correctkey
end

Why this answer

The RADIUS server is reachable but AAA and 802.1X authentication fail because the pre-shared key on R1 does not match the server's actual key. The correct repair is to first apply 'aaa authentication login default group RADIUS local' to correctly reference the RADIUS server by its name, then set the matching key under 'radius server RADIUS'. Once the key matches, the switch port will transition to authorized state.

Exam trap

Do not assume reachability equals authentication success; always verify the shared key matches. Also, when using new-style RADIUS server configuration, the AAA method must use the server name directly (not the generic 'radius' group) unless a custom server group is defined.

Why the other options are wrong

B

Verifying the IP address is redundant because the server is already reachable; the root cause is a mismatched shared key.

C

Enabling 802.1X globally will not fix a key mismatch and is not the reason for the port remaining unauthorized when RADIUS is reachable.

D

Using only local authentication removes the required RADIUS-first method and does not resolve the key issue.

28
PBQhard

You are connected to R1. Configure AAA with RADIUS authentication on R1 so that SSH login attempts first contact the RADIUS server at 192.0.2.10 (key 'cisco123'), and if the server is unreachable, fall back to the local database. Additionally, troubleshoot why an 802.1X-enabled switch port (GigabitEthernet0/1) on a connected switch remains in the 'unauthorized' state despite RADIUS being functional; identify and fix the misconfiguration on the switch (SW1).

Network Topology
G0/0192.0.2.1/24G0/1G0/1SW1R1Client

Hints

  • Check if the switch has 'aaa new-model' enabled.
  • The switch needs a RADIUS server definition and an authentication method list for dot1x.
  • The 'aaa authentication dot1x default group radius' command is missing.
A.R1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius local', 'line vty 0 4', 'login authentication default'. SW1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication dot1x default group radius', 'dot1x system-auth-control', 'interface GigabitEthernet0/1', 'authentication port-control auto', 'dot1x pae authenticator'.
B.R1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius local', 'line vty 0 4', 'login authentication default'. SW1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius', 'dot1x system-auth-control', 'interface GigabitEthernet0/1', 'authentication port-control auto', 'dot1x pae authenticator'.
C.R1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius', 'line vty 0 4', 'login authentication default'. SW1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication dot1x default group radius', 'dot1x system-auth-control', 'interface GigabitEthernet0/1', 'authentication port-control auto', 'dot1x pae authenticator'.
D.R1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius local', 'line vty 0 4', 'login authentication default'. SW1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication dot1x default group radius', 'dot1x system-auth-control', 'interface GigabitEthernet0/1', 'authentication port-control auto'.
AnswerA
solution
! R1


! SW1
configure terminal
aaa new-model
radius server RADIUS
address ipv4 192.0.2.10
key cisco123
aaa authentication dot1x default group radius
end
write memory

Why this answer

The correct answer is Option A. For R1, the 'aaa authentication login default group radius local' command ensures that SSH login attempts first contact the RADIUS server at 192.0.2.10 and fall back to the local database if the server is unreachable. Options that omit the 'local' keyword (C) lack this fallback, making them incorrect.

Option B incorrectly uses 'aaa authentication login' on the switch for 802.1X; the correct command is 'aaa authentication dot1x'. On SW1, all wrong options (B, C, D) are missing the 'dot1x pae authenticator' command under the interface, which is required for the switch to explicitly act as an 802.1X authenticator (though some IOS versions auto-assume it, Cisco CCNA expects explicit configuration). Option D also lacks 'dot1x pae authenticator', leaving the port in unauthorized state.

Only Option A includes all necessary commands: correct RADIUS server definitions, proper AAA authentication lists for both login and dot1x, global 'dot1x system-auth-control', and the interface-level commands 'authentication port-control auto' and 'dot1x pae authenticator'.

Exam trap

Do not confuse 'aaa authentication login' (for device access) with 'aaa authentication dot1x' (for network access); also, the 'dot1x pae authenticator' command is often required to explicitly set the port to authenticator role — omitting it can leave the port unauthorized even if other 802.1X commands are present.

Why the other options are wrong

B

Uses 'aaa authentication login' on the switch instead of 'aaa authentication dot1x', which does not enable RADIUS authentication for 802.1X.

C

On R1, the login authentication list omits 'local', so there is no fallback to the local database if the RADIUS server is unreachable.

D

Missing the 'dot1x pae authenticator' command under GigabitEthernet0/1, which is necessary for the switch to function as an 802.1X authenticator.

Ready to test yourself?

Try a timed practice session using only Aaa questions.