Question 754 of 2,015
SecuritymediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is the missing 'aaa authentication enable default' command, which causes the device to skip authentication when entering enable mode and leaves privilege 15 users unconstrained by command authorization. Without this command, the router or switch does not require TACACS+ to verify the user’s right to escalate privileges, so after SSH login—where 'aaa authorization exec' may already place the user at privilege 15—they are granted full access without a password prompt. Furthermore, since 'aaa authorization commands 15' only applies to users already at that level, any command issued at privilege 15, including restricted 'debug' commands, bypasses per-role enforcement. On the ENCOR 350-401 exam, this scenario tests your understanding of the AAA authentication and authorization flow, specifically how 'enable' authentication is a separate step from login authentication. A common trap is assuming that 'aaa authorization exec' alone controls privilege escalation, but it only sets the initial privilege level; the enable password challenge is governed solely by the 'aaa authentication enable' command. Memory tip: think of "enable" as a door—without the authentication command, the door is always open.

CCNP Security Practice Question

This 350-401 practice question tests your understanding of security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A medium-sized enterprise is migrating to a Cisco DNA Center-managed network. The security policy requires that all administrative access to network devices be authenticated via TACACS+ and that authorization for commands be enforced per user role. The network team has configured ISE as the AAA server and integrated it with DNA Center. After configuration, engineers report that they can log in to devices via SSH but are not prompted for a password when entering 'enable' mode; instead, they are granted full privileges immediately. Additionally, while in configuration mode, some engineers can issue 'debug' commands that they should not have access to. The configuration on the devices includes 'aaa new-model', 'aaa authentication login default group tacacs+ local', 'aaa authorization exec default group tacacs+ local', and 'aaa authorization commands 15 default group tacacs+ local'. What is the most likely cause of the privilege escalation and missing authorization?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

  • Clue: "immediately / without restart"

    Why it matters: Time or reboot constraint — the correct answer must take effect right away without requiring a reboot or reload.

Question 1mediummultiple choice
Study the full AAA explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The 'aaa authentication enable default' command is missing, so the device is not requiring authentication to enter enable mode, and command authorization is not being enforced because the user is already at privilege 15.

The missing 'aaa authentication enable default group tacacs+ local' command means the device does not require TACACS+ authentication to enter enable mode. Since the user is already at privilege level 15 after login (due to the 'aaa authorization exec' command or local user configuration), they are not prompted for a password and are granted full privileges immediately. Additionally, command authorization is only configured for privilege level 15 ('aaa authorization commands 15'), so once the user is at level 15, no further authorization checks are performed for commands like 'debug', bypassing the intended per-role enforcement.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The TACACS+ server is not reachable, so the device is using local authentication, but the local database has all users at privilege level 15.

    Why it's wrong here

    If TACACS+ is unreachable, local authentication would prompt for enable password if configured, but it's not.

  • The 'aaa authentication enable default' command is missing, so the device is not requiring authentication to enter enable mode, and command authorization is not being enforced because the user is already at privilege 15.

    Why this is correct

    Correct: Without enable authentication, users can enter enable mode without password; command authorization for level 15 may not be triggered if user already at level 15.

    Clue confirmation

    The clue words "most likely", "immediately / without restart" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Command authorization is only configured for privilege level 15, but users are logging in at level 1; they need 'aaa authorization commands 1 default' as well.

    Why it's wrong here

    Command authorization for level 15 should still apply if user enters enable mode; missing enable authentication is the root cause.

  • The 'privilege level' command is set to 15 on the VTY lines, bypassing AAA authorization.

    Why it's wrong here

    Privilege level on VTY does not bypass enable authentication.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the distinction between authentication (who you are) and authorization (what you can do), and the trap here is that candidates assume 'aaa authorization commands 15' alone enforces command restrictions, but they overlook that without 'aaa authentication enable', users may already be at privilege 15, making command authorization ineffective.

Trap categories for this question

  • Command / output trap

    Command authorization for level 15 should still apply if user enters enable mode; missing enable authentication is the root cause.

Detailed technical explanation

How to think about this question

In Cisco IOS, 'aaa authorization commands 15' only triggers authorization for commands at privilege level 15 when the user is at that level; if the user is already at level 15 (e.g., via 'aaa authorization exec' or local user privilege), the device assumes the user has full rights and does not re-check authorization for each command. The 'aaa authentication enable' command is required to force a TACACS+ authentication challenge when a user attempts to escalate from a lower privilege level to enable mode; without it, the device grants enable access automatically if the user's current privilege level is already 15 or if no authentication method is defined.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A junior network technician can log in to a core router but cannot reach the enable prompt or configuration mode. The AAA server is authenticating the login — but the authorisation policy only grants privilege level 1, not 15. Authentication (who you are) is working; authorisation (what you can do) is not.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 350-401 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 350-401 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 350-401 question test?

Security — This question tests Security — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The 'aaa authentication enable default' command is missing, so the device is not requiring authentication to enter enable mode, and command authorization is not being enforced because the user is already at privilege 15. — The missing 'aaa authentication enable default group tacacs+ local' command means the device does not require TACACS+ authentication to enter enable mode. Since the user is already at privilege level 15 after login (due to the 'aaa authorization exec' command or local user configuration), they are not prompted for a password and are granted full privileges immediately. Additionally, command authorization is only configured for privilege level 15 ('aaa authorization commands 15'), so once the user is at level 15, no further authorization checks are performed for commands like 'debug', bypassing the intended per-role enforcement.

What should I do if I get this 350-401 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely", "immediately / without restart". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 350-401 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-401 exam.