200-301 · topic practice

Aaa practice questions

Practise CCNA 200-301 v2 Aaa practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security

What the exam tests

What to know about Aaa

Aaa questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Aaa exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Aaa questions

18 questions · select your answer, then reveal the explanation

Question 1hardmultiple choice
Study the full AAA explanation →

A switchport is configured for 802.1X authentication. What is the usual role of the RADIUS server in that design?

Question 2mediummatching
Study the full AAA explanation →

Drag and drop the AAA terms on the left to their correct definitions on the right.

Question 3mediummultiple choice
Study the full AAA explanation →

A network administrator wants to secure remote CLI access to a Cisco router, moving beyond simple username/password authentication. Which approach best achieves this goal?

Question 4hardmultiple choice
Study the full AAA explanation →

A network administrator has configured 802.1X port-based authentication on a Cisco IOS-XE switch for a new access port connected to a user workstation. The workstation is failing to gain network access. The switch port is in the 'authorized' state, but the workstation cannot ping the default gateway. The administrator checks the running configuration and the authentication session details. What is the most likely cause of the issue?

Exhibit

Switch# show running-config interface GigabitEthernet1/0/1
Building configuration...

Current configuration : 250 bytes
!
interface GigabitEthernet1/0/1
 switchport mode access
 switchport access vlan 10
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate 3600
 dot1x pae authenticator
 dot1x timeout tx-period 3
 spanning-tree portfast
end

Switch# show authentication sessions interface GigabitEthernet1/0/1 details
            Interface:  GigabitEthernet1/0/1
          MAC Address:  aaaa.bbbb.cccc
           IP Address:  192.168.10.25
            User-Name:  host/workstation
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  single-host
     Oper control dir:  both
        Session timeout:  3600s
    Common Session ID:  0A1B2C3D4E5F6G7H8I9J0K
      Acct Session ID:  0x00000001
               Handle:  0x00000001
Runnable methods list:
       Method   State
       dot1x    Authz Success

Switch# show dot1x all details
Sysauthcontrol                 ENABLED
Dot1x Protocol Version                3

Supplicant aaaa.bbbb.cccc, GigabitEthernet1/0/1
  PAE = AUTHENTICATOR
  quietPeriod = 60
  serverTimeout = 30
  maxReq = 2
  reAuthMax = 2
  allowAuthOn = [all]
  startPeriod = 30
  handshakePeriod = 15
  txPeriod = 3
  guestVlan = 999
  authVlan = 100
  criticalVlan = 200
  hostMode = SINGLE_HOST
  port-control = AUTO
  control-direction = BOTH
  host-auth = [success]
  re-authentication = ENABLED
  re-authperiod = 3600
  server-timeout = 30
  supp-timeout = 30
  server-retries = 2
  supp-retries = 2
  max-reauth-req = 2
  lastrx = 0
  cap = 0
  status = AUTHORIZED
  state = HELD
  backend-state = HELD
  method = dot1x
  timeout = 30
Question 5hardmultiple choice
Read the full DHCP explanation →

A client connects to an employee WLAN using 802.1X authentication. The authentication process completes successfully, but the client fails to obtain an IP address via DHCP. What is the most likely cause?

Exhibit

Client observations:
- Joined SSID: Corp-Employee
- Authentication: success
- Assigned IP: 10.90.200.44/24
Expected employee subnet: 10.90.10.0/24
Observed guest subnet: 10.90.200.0/24
Question 6mediummatching
Study the full AAA explanation →

Match each security control or idea to its most accurate purpose.

Question 7mediummatching
Study the full AAA explanation →

Match each management or monitoring concept to its most accurate role.

Question 8easymultiple choice
Study the full AAA explanation →

Why is Telnet generally discouraged for network device administration?

Question 9hardmultiple choice
Study the full AAA explanation →

An administrator wants to permit SSH management access but block Telnet access to a device. Which statement best reflects that design goal?

Question 10hardScenario
Study the full AAA explanation →

You are connected to R1, a router acting as a network access server for 802.1X authentication on interface GigabitEthernet0/1. Configure AAA with a RADIUS server at 192.0.2.10 (key 'cisco123') so that the default login authentication uses RADIUS first, then local fallback. Additionally, troubleshoot why a connected supplicant on G0/1 remains in the unauthorized state even though RADIUS is reachable and the supplicant credentials are correct.

Exhibit

R1# show running-config | section aaa
no aaa new-model
!
R1# show running-config | section radius
!
R1# show running-config interface GigabitEthernet0/1
interface GigabitEthernet0/1
 description 802.1X port
 switchport mode access
 switchport access vlan 10
 authentication port-control auto
 dot1x pae authenticator
 spanning-tree portfast
!
R1# show authentication sessions interface GigabitEthernet0/1
Interface: GigabitEthernet0/1
  MAC Address: aaaa.bbbb.cccc
  IP Address: unknown
  Status: Unauthorized
  Domain: DATA
  Oper host mode: single-host
  Oper control dir: both
  Session timeout: N/A
  Common Session ID: 0A0000010000000100000001
  Acct Session ID: 0x00000001
  Handle: 0x51000001

R1# test aaa group radius legacy aaaa.bbbb.cccc password cisco123
Trying to authenticate with server group radius
User authentication request was rejected by server

R1# show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     203.0.113.1     YES NVRAM  up                    up
GigabitEthernet0/1     unassigned      YES unset  up                    up
Loopback0              10.10.10.1      YES NVRAM  up                    up

You are connected to R1. The link between R1 and R2 is experiencing intermittent connectivity and poor performance. Review the provided show interface output to identify the root cause(s) of the issue, then apply the necessary configuration changes to resolve the problem and restore full connectivity.

Output from R1: ``` GigabitEthernet0/0 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is aaaa.bbbb.cccc (bia aaaa.bbbb.cccc) Internet address is 192.168.1.1/30 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec) Half-duplex, 100Mb/s, link type is auto, media type is RJ45 output flow-control is unsupported, input flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:01, output 00:00:01, output hang never Last clearing of "show interface" counters 00:01:23 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 150 packets input, 1500 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 150 input errors, 150 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 200 packets output, 2000 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out ```

Exhibit

R1# show interfaces GigabitEthernet0/0
GigabitEthernet0/0 is up, line protocol is up
  Hardware is ISR4321-2x1GE, address is aabb.cc00.0100 (bia aabb.cc00.0100)
  Internet address is 192.168.1.1/30
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is RJ45
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:01:23
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 1000 bits/sec, 2 packets/sec
  5 minute output rate 1000 bits/sec, 2 packets/sec
     512 packets input, 51200 bytes, 0 no buffer
     Received 512 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     150 input errors, 150 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     512 packets output, 51200 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out
Question 12hardScenario
Study the full AAA explanation →

You are connected to R1. Configure AAA with RADIUS server at 192.0.2.10 (key = Cisco123) so that console login uses local authentication as fallback. Then troubleshoot why a host connected to R1's GigabitEthernet0/1 (802.1X enabled) remains in unauthorized state. The RADIUS server is reachable. Fix the issue so the port authorizes successfully.

Exhibit

R1# show running-config | section aaa|radius|dot1x|interface GigabitEthernet0/1
aaa new-model
aaa authentication login default group radius local
radius server RADIUS_SERVER
 address ipv4 192.0.2.10 auth-port 1812 acct-port 1813
 key Cisco123
!
interface GigabitEthernet0/1
 description 802.1X Port
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
 spanning-tree portfast
!
R1# show authentication sessions interface GigabitEthernet0/1
Interface: GigabitEthernet0/1
MAC Address: 0050.7966.6800
IP Address: Unknown
Status: Unauthorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A0000010000000B00000001
Acct Session ID: 0x00000001
Handle: 0x81000001

R1# ping 192.0.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5)

R1# show radius server-group

Server group radius: not defined
Question 13mediummultiple choice
Read the full wireless explanation →

Exhibit: Users report that they can see the corporate SSID but fail authentication immediately after entering credentials. Guest wireless works on the same access point. Which issue is most likely?

Exhibit

WLAN Corp uses WPA2-Enterprise
WLAN Guest uses WPA2-PSK
AP joined to WLC successfully
Recent event: AAA server unreachable
Question 14hardScenario
Study the full AAA explanation →

You are connected to R1. Configure AAA with RADIUS authentication so that SSH users are authenticated first against the RADIUS server (198.51.100.10) and fall back to the local user database if the server is unreachable. Additionally, troubleshoot why an 802.1X-enabled interface (GigabitEthernet0/1) remains in the unauthorized state. The RADIUS server shares a key of 'cisco123' and uses UDP port 1812. The local user 'admin' with secret 'adminpass' must be available as a fallback.

Exhibit

R1# show running-config | section aaa|radius|interface|line|username
username admin secret 5 $1$abc$defghijklmnopqrstuvwxyz12345
!
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius
!
radius server RADIUS
 address ipv4 198.51.100.10 auth-port 1812 acct-port 1813
 key cisco123
!
interface GigabitEthernet0/1
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
!
line vty 0 4
 login authentication default
 transport input ssh
!
end

R1# show dot1x interface GigabitEthernet0/1 details
Dot1x Info for GigabitEthernet0/1
-----------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
PortStatus                = UNAUTHORIZED
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
AuthPeriod                = 30

R1# show radius server-group all
Server group radius
  Type: Standard
  Member servers: RADIUS
  VRF: default

R1# show radius server RADIUS
Radius server: RADIUS
  Address: 198.51.100.10
  Auth Port: 1812
  Acct Port: 1813
  Timeout: 5 seconds
  Retransmit: 3
  Key: cisco123
  State: current UP
  Dead: 0
  Authentication: 0 requests, 0 timeouts, 0 failures
  Accounting: 0 requests, 0 timeouts, 0 failures
Question 15mediumdrag order
Study the full AAA explanation →

Drag and drop the following steps into the correct order to configure a secure Cisco switch, from enabling secure management access to implementing advanced dynamic ARP inspection.

Question 16easymultiple choice
Study the full AAA explanation →

In AAA, which function determines what an authenticated user is allowed to do after login?

Question 17hardmultiple choice
Study the full AAA explanation →

Refer to the exhibit. A network engineer notices that a user connected to GigabitEthernet0/5 cannot access the network. The engineer issues the show port-security interface GigabitEthernet0/5 command. Based on the output, what is the most likely cause of the issue?

Exhibit

SW1# show port-security interface GigabitEthernet0/5
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : aaaa.bbbb.cccc:10
Security Violation Count   : 3
Question 18mediumdrag order
Study the full AAA explanation →

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on an IOS-XE switch.

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Aaa sessions

Start a Aaa only practice session

Every question in these sessions is drawn from the Aaa domain — nothing else.

Related practice questions

Related 200-301 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 200-301 exam test about Aaa?
Aaa questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Aaa questions in a focused session?
Yes — the session launcher on this page draws every question from the Aaa domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 200-301 topics?
Use the topic links above to move to related areas, or go back to the 200-301 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 200-301 exam covers. They are not copied from any real exam or dump site.