CCNA Aaa Radius Tacacs Questions

58 questions · Aaa Radius Tacacs topic · All types, answers revealed

1
MCQmedium

A network engineer is configuring AAA on a Cisco ISR router to authenticate administrative users via a RADIUS server. The engineer configures the router with the command 'aaa new-model' and then 'aaa authentication login default group radius local'. When the engineer attempts to SSH to the router using a username that exists only on the RADIUS server, the authentication fails. The RADIUS server is reachable and the shared secret is correct. What is the most likely cause of the failure?

A.The router's SSH service is not enabled.
B.The RADIUS server is rejecting the authentication because the user is not defined on the server, and the 'local' fallback only applies if the server is unreachable.
C.The 'aaa new-model' command must be followed by a 'aaa authentication login default local' command to use local authentication.
D.The router's VTY lines are not configured to use the default authentication list.
AnswerB

Correct because the 'group radius local' method list tries RADIUS first; if RADIUS responds with a reject (user not found), the router does not fall back to local. The fallback only occurs if the RADIUS server does not respond.

Why this answer

The RADIUS server is not configured to authenticate the user, or the RADIUS server is not responding correctly. The 'local' fallback is only used if the RADIUS server does not respond, not if it rejects the authentication. The issue is that the RADIUS server is rejecting the authentication, possibly because the user is not defined on the server or the server's configuration does not match the router's request.

2
Drag & Dropmedium

Drag and drop the steps of AAA method list fallback from RADIUS to local into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

When a method list specifies RADIUS then local, the device first attempts RADIUS authentication. If the RADIUS server is unreachable (timeout), the device falls back to the next method in the list, which is local authentication using the local user database.

3
Drag & Dropmedium

Drag and drop the steps of RADIUS CoA (Change of Authorization) message flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

RADIUS CoA allows a RADIUS server to dynamically change an active session's authorization. The server sends a CoA-Request to the network access device (NAD), which validates the request, applies the change, and responds with a CoA-ACK or CoA-NAK.

4
MCQeasy

What is the default port used by TACACS+ for communication?

A.49
B.1812
C.1645
D.389
AnswerA

Correct. TACACS+ uses TCP port 49.

Why this answer

TACACS+ uses TCP port 49 by default. This is a well-known port assigned to TACACS+.

5
Matchingmedium

Drag and drop each AAA method list on the left to its correct fallback order on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

local case (no server defined): local

RADIUS then local

TACACS+ then local

local (no fallback)

none (no authentication required)

Why these pairings

Method lists define the order of authentication sources. The default login method uses local as fallback; a common RADIUS-first list uses local; a TACACS+-first list uses local; a local-only list uses no fallback; and a none list allows access without authentication.

6
Matchingmedium

Drag and drop each protocol on the left to its matching characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses UDP transport

Uses TCP transport

Why these pairings

RADIUS uses UDP, encrypts only the password, and combines authentication and authorization. TACACS+ uses TCP, encrypts the entire packet, and separates authentication, authorization, and accounting.

7
Multi-Selectmedium

Which three statements about RADIUS server configuration and operation are true? (Choose three.)

Select 3 answers
A.The default UDP port for RADIUS authentication is 1812.
B.The shared secret configured on the Cisco device must match the shared secret on the RADIUS server.
C.The 'radius-server host' command can include an optional 'key' parameter to specify the shared secret.
D.RADIUS uses TCP to ensure reliable delivery of authentication packets.
E.If no port is specified, RADIUS uses port 1645 for authentication by default.
AnswersA, B, C

Correct because IANA assigned port 1812 for RADIUS authentication.

Why this answer

RADIUS servers are configured with IP address, shared secret, and UDP ports. The default authentication port is 1812 and accounting port is 1813. The shared secret must match on both client and server.

The 'radius-server host' command can specify the key. RADIUS uses MD5 for password encryption, but the shared secret is sent in cleartext within the packet.

8
MCQmedium

Consider this AAA configuration: aaa new-model aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local aaa accounting exec default stop-only group tacacs+ tacacs-server host 10.0.0.1 key SecretKey tacacs-server host 10.0.0.2 key SecretKey What is the effect of the accounting command?

A.Accounting records are sent to TACACS+ only when the exec session ends.
B.Accounting records are sent to TACACS+ at both session start and end.
C.Accounting records are sent to TACACS+ only at session start.
D.Accounting is disabled because the command uses 'stop-only' incorrectly.
AnswerA

Correct. 'stop-only' means only a stop record is sent at session termination.

Why this answer

The 'aaa accounting exec default stop-only group tacacs+' command sends accounting records only when an exec session ends (stop), not at the start. This reduces traffic but provides less detailed accounting.

9
Multi-Selecthard

Which three statements about RADIUS and TACACS+ are true? (Choose three.)

Select 3 answers
A.TACACS+ encrypts the entire packet body, whereas RADIUS only encrypts the password.
B.RADIUS uses TCP for reliable transport, while TACACS+ uses UDP.
C.RADIUS combines authentication and authorization in one packet, whereas TACACS+ separates them.
D.TACACS+ encrypts only the password in the packet, similar to RADIUS.
E.RADIUS uses UDP as its transport protocol, while TACACS+ uses TCP.
AnswersA, C, E

Correct because TACACS+ encrypts the entire payload, while RADIUS only encrypts the password attribute.

Why this answer

The correct answers contrast the two protocols. Option A is correct because TACACS+ encrypts the entire packet body, while RADIUS only encrypts the password. Option C is correct because RADIUS combines authentication and authorization, while TACACS+ separates them.

Option E is correct because RADIUS uses UDP (typically port 1812/1813), while TACACS+ uses TCP (port 49). Option B is wrong because RADIUS uses UDP, not TCP. Option D is wrong because TACACS+ encrypts the entire packet body, not just the password.

10
MCQmedium

A network engineer runs the following command on Router R1: R1# show aaa sessions Total sessions since last reload: 5 Session Id: 1 Unique Id: 1 User Name: admin IP Address: 10.1.1.100 Idle Time: 0 Timeout: 0 Type: Login Method: RADIUS Session Id: 2 Unique Id: 2 User Name: jdoe IP Address: 10.1.1.101 Idle Time: 120 Timeout: 0 Type: Login Method: LOCAL Based on this output, what can be concluded?

A.All users are authenticated via RADIUS.
B.User jdoe authenticated using local authentication.
C.The RADIUS server is unreachable for all users.
D.Both sessions are using TACACS+ for authorization.
AnswerB

The 'Method: LOCAL' for session 2 confirms local authentication.

Why this answer

The output shows two active AAA sessions. The first session (admin) uses RADIUS authentication, while the second (jdoe) uses local authentication. This indicates that the router is configured to fall back to local authentication when RADIUS is unavailable or for certain users.

The idle time for jdoe is 120 seconds, meaning the session has been idle for that long, but no timeout is configured.

11
Drag & Dropmedium

Drag and drop the steps of AAA method list fallback from RADIUS to local into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

When a RADIUS server is unreachable, the device first tries the primary RADIUS server, then any backup RADIUS servers. If all RADIUS servers fail, the device falls back to the local database for authentication. This ensures redundancy.

12
Matchingmedium

Drag and drop each RADIUS attribute on the left to its correct attribute number on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Attribute 1

Attribute 4

Attribute 6

Attribute 8

Attribute 5

Why these pairings

RADIUS attribute numbers are standardized: User-Name is 1, NAS-IP-Address is 4, Service-Type is 6, Framed-IP-Address is 8, and NAS-Port is 5.

13
MCQmedium

Examine this configuration: aaa new-model aaa authentication login default local aaa authorization exec default local aaa accounting exec default start-stop group tacacs+ line vty 0 4 login authentication default privilege level 15 What is missing to ensure that VTY users are authenticated via TACACS+?

A.The 'aaa authentication login default' command should include 'group tacacs+' before 'local'.
B.The 'aaa authorization exec default' command should include 'group tacacs+'.
C.The 'aaa accounting exec default' command should include 'group tacacs+'.
D.The 'privilege level 15' command under VTY lines is missing.
AnswerA

Correct. To authenticate via TACACS+, the method list must specify 'group tacacs+' as the primary method.

Why this answer

The authentication method list 'default' uses local authentication. To use TACACS+, the method list must include 'group tacacs+' before 'local'. The current configuration only uses local.

14
MCQmedium

Examine the following AAA configuration snippet: aaa new-model aaa authentication login default local aaa authentication login CONSOLE local aaa authorization exec default local aaa accounting exec default start-stop group tacacs+ line con 0 login authentication CONSOLE line vty 0 4 login authentication default What is the effect of this configuration?

A.Console login uses local authentication; VTY login uses local authentication; exec accounting is sent to TACACS+.
B.Console login uses TACACS+ authentication; VTY login uses local authentication; exec accounting is disabled.
C.Both console and VTY login use TACACS+ authentication; exec accounting is sent to TACACS+.
D.Console login uses local authentication; VTY login uses TACACS+ authentication; accounting is not configured.
AnswerA

Correct. The console uses the 'CONSOLE' method list (local), VTY uses the 'default' method list (local), and accounting is configured with start-stop to group tacacs+.

Why this answer

The configuration defines authentication methods for console and VTY lines, authorization for exec sessions, and accounting for exec commands. The console uses the 'CONSOLE' method list (local), while VTY lines use the 'default' method list (local). Accounting is enabled for exec sessions, sending start-stop records to TACACS+.

15
MCQmedium

Given the following configuration: aaa new-model aaa authentication login default group radius local aaa authorization exec default group radius local aaa accounting exec default start-stop group radius radius-server host 192.168.1.100 key Cisco123 radius-server host 192.168.1.101 key Cisco123 Which statement is true about this configuration?

A.If the first RADIUS server (192.168.1.100) is unreachable, the second server (192.168.1.101) is tried before falling back to local.
B.The RADIUS servers are used for authentication only, not for authorization or accounting.
C.Local authentication is always attempted first, then RADIUS.
D.The RADIUS key is optional; if omitted, the router uses an empty key.
AnswerA

Correct. RADIUS servers are tried in the order configured; if all RADIUS servers fail, the fallback method (local) is used.

Why this answer

The configuration uses RADIUS as the primary method for authentication, authorization, and accounting, with local as fallback. The RADIUS servers are defined with a shared secret key. The 'aaa new-model' enables AAA globally.

16
MCQhard

A network engineer issues the following command on a router: R1# show tacacs TACACS+ Server: 10.1.1.10/49 Socket opens: 5 Socket closes: 3 Socket aborts: 0 Total packets sent: 10 Total packets received: 9 Retransmissions: 1 Timeouts: 1 Current idle time: 30 seconds Based on this output, what can be concluded?

A.The TACACS+ server is unreachable.
B.There have been no authentication attempts.
C.The TACACS+ server experienced a single timeout.
D.All packets were successfully acknowledged.
AnswerC

The timeout count is 1, indicating one packet timed out.

Why this answer

The output shows TACACS+ server statistics. Out of 10 packets sent, 9 were received, indicating 1 packet was lost or timed out. There was 1 retransmission and 1 timeout, which suggests occasional network issues but not a complete failure.

The current idle time of 30 seconds means no recent activity.

17
Matchingmedium

Drag and drop each protocol on the left to its matching characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses UDP transport

Encrypts entire packet payload

Why these pairings

RADIUS uses UDP and encrypts only the password; TACACS+ uses TCP and encrypts the entire packet. RADIUS combines authentication and authorization; TACACS+ separates them. RADIUS is commonly used for network access; TACACS+ for device administration.

18
Drag & Dropmedium

Drag and drop the steps of TACACS+ command authorization flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

TACACS+ separates authentication, authorization, and accounting. For command authorization, the user authenticates first, then the device sends the command to the TACACS+ server, which checks its authorization policy and responds with permit or deny. The device then executes or blocks the command accordingly.

19
MCQmedium

Consider this AAA configuration: aaa new-model aaa authentication login default local aaa authorization exec default local aaa accounting exec default start-stop group tacacs+ tacacs-server host 10.0.0.1 key SecretKey line con 0 login authentication default line vty 0 4 login authentication default What is the effect of this configuration?

A.All login attempts use local authentication; exec accounting is sent to TACACS+.
B.All login attempts use TACACS+ authentication; exec accounting is local.
C.Console login uses TACACS+; VTY login uses local; accounting is sent to TACACS+.
D.Authentication and authorization are both performed by TACACS+; accounting is local.
AnswerA

Correct. Authentication is local, authorization is local, accounting is sent to TACACS+.

Why this answer

The configuration uses local authentication for all lines, local authorization for exec commands, and sends exec accounting start-stop records to TACACS+. The TACACS+ server is defined but only used for accounting.

20
Matchingmedium

Drag and drop each RADIUS attribute name on the left to its matching attribute number on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

1

4

6

8

22

Why these pairings

RADIUS attribute numbers are standardized: User-Name=1, NAS-IP-Address=4, Service-Type=6, Framed-IP-Address=8, and Framed-Route=22.

21
Matchingmedium

Drag and drop each AAA function on the left to its correct description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verifies the identity of a user or device

Determines what resources or commands a user can access

Records user activity for auditing or billing purposes

Why these pairings

Authentication verifies identity, authorization determines allowed actions, and accounting tracks usage for auditing or billing.

22
Matchingmedium

Drag and drop each TACACS+ packet type on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Initiates an authentication session and contains the username

Sends a challenge (e.g., password prompt) or authentication result

Carries the user's response to a challenge

Indicates successful authentication and may include authorization attributes

Indicates authentication failure

Why these pairings

START begins authentication and contains username; REPLY sends challenge or result; CONTINUE sends response to challenge; ACCEPT indicates successful authentication; REJECT indicates authentication failure.

23
Multi-Selecthard

Which three statements about RADIUS and TACACS+ are true? (Choose three.)

Select 3 answers
A.RADIUS combines authentication and authorization in a single packet.
B.TACACS+ uses TCP port 49 by default.
C.RADIUS encrypts the entire packet payload for all attributes.
D.TACACS+ provides separate authentication, authorization, and accounting processes.
E.RADIUS supports per-command authorization for shell sessions.
AnswersA, B, D

Correct because RADIUS merges authentication and authorization in the Access-Accept packet.

Why this answer

RADIUS and TACACS+ are both AAA protocols but differ in transport, encryption, and authorization granularity. RADIUS uses UDP and encrypts only the password; TACACS+ uses TCP and encrypts the entire packet. TACACS+ supports per-command authorization, while RADIUS does not.

Both can be used for device administration, but RADIUS is more common for network access.

24
MCQmedium

A network engineer is configuring a Cisco switch for 802.1X with RADIUS authentication. The switch is also configured with 'aaa authentication dot1x default group radius'. The engineer wants to use a single RADIUS server for both authentication and accounting. The RADIUS server is configured with the same shared secret for both services. The engineer configures 'radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key cisco123'. However, accounting records are not being sent to the server. The engineer verifies that the RADIUS server is reachable and that accounting is enabled on the server. What is the most likely cause?

A.The switch is missing the 'aaa accounting dot1x default start-stop group radius' command to enable accounting for 802.1X sessions.
B.The RADIUS server is using a different accounting port than 1813; the switch should use port 1646.
C.The switch must have 'aaa new-model' configured before accounting can work.
D.The RADIUS server's shared secret for accounting is different from the authentication secret.
AnswerA

Correct because accounting is a separate AAA function that must be explicitly configured; the RADIUS server definition alone does not enable accounting.

Why this answer

The switch must have accounting enabled globally and for the specific service (dot1x). The 'radius-server host' command only defines the server; accounting is not automatically enabled. The engineer needs to configure 'aaa accounting dot1x default start-stop group radius' to send accounting records.

25
MCQmedium

A network administrator runs the following command on a switch: Switch# show aaa method-list Method List Name: default Type: authentication Group: radius Group: local Method List Name: console Type: authentication Group: local Method List Name: default Type: authorization Group: tacacs+ Group: local Based on this output, what can be concluded?

A.Authorization for all users uses RADIUS.
B.Console authentication uses RADIUS as fallback.
C.RADIUS is the primary authentication method for default login.
D.TACACS+ is used for authentication.
AnswerC

The default authentication list has 'group radius' listed first.

Why this answer

The output shows the configured method lists. The default authentication list uses RADIUS first, then local. The console authentication list uses only local.

The default authorization list uses TACACS+ first, then local. This matches typical AAA configuration.

26
Multi-Selecthard

Which three statements about configuring AAA on Cisco IOS devices are true? (Choose three.)

Select 3 answers
A.The aaa new-model command enables AAA services on the device.
B.The aaa new-model command disables local authentication and forces the use of an external server.
C.The radius-server host command is used to specify the IP address and shared secret for a RADIUS server.
D.The tacacs-server host command is used to specify the IP address and shared secret for a RADIUS server.
E.The aaa authentication login command defines a method list for login authentication.
AnswersA, C, E

Correct because aaa new-model is required to activate AAA on Cisco IOS.

Why this answer

The correct answers cover common AAA configuration steps. Option A is correct because the aaa new-model command enables AAA on a Cisco IOS device. Option C is correct because the radius-server host command specifies the RADIUS server IP and shared secret.

Option E is correct because the aaa authentication login command defines a method list for login authentication. Option B is wrong because the aaa new-model command does not disable local authentication; it enables AAA. Option D is wrong because the tacacs-server host command is used for TACACS+, not RADIUS.

27
Matchingmedium

Drag and drop each AAA function on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verifies the identity of a user or device

Determines what resources or services a user is allowed to access

Collects and logs usage data for auditing or billing

Why these pairings

Authentication verifies identity; Authorization determines permitted actions; Accounting tracks usage for auditing or billing.

28
Multi-Selectmedium

Which two statements about AAA accounting are true? (Choose two.)

Select 2 answers
A.RADIUS accounting uses UDP as the transport protocol.
B.TACACS+ accounting uses UDP as the transport protocol.
C.The wait-start accounting method delays service until the accounting start packet is acknowledged by the server.
D.AAA accounting is only supported for EXEC sessions, not for network access.
E.TACACS+ encrypts only the password portion of the accounting packet.
AnswersA, C

Correct because RADIUS uses UDP for both authentication and accounting.

Why this answer

AAA accounting tracks user activities and resource usage. RADIUS accounting uses UDP ports 1646/1813, while TACACS+ uses TCP port 49. Accounting can be start-stop, stop-only, or wait-start.

The wait-start method delays service until the accounting start is acknowledged, which can impact user experience. TACACS+ encrypts the entire packet, including accounting data.

29
MCQhard

An enterprise network uses TACACS+ for device administration and RADIUS for network access (VPN and wireless). The TACACS+ server is configured to authorize commands. A network engineer notices that after a recent upgrade of the TACACS+ server software, some commands that were previously authorized are now being denied. The engineer checks the router configuration and sees 'aaa authorization commands 15 default group tacacs+'. The TACACS+ server logs show that the authorization requests are being sent and responded to. What is the most likely cause?

A.The router's 'aaa authorization commands 15 default group tacacs+' command is missing the 'local' keyword, so if TACACS+ denies, there is no fallback.
B.The TACACS+ server upgrade changed the default authorization behavior from permissive to restrictive, requiring explicit 'permit' statements for each command, and the existing rules may not cover all commands.
C.The router's privilege level 15 is not correctly assigned to the user.
D.The TACACS+ server is not reachable due to a firewall change, causing the router to deny all commands.
AnswerB

Correct because TACACS+ authorization rules are defined on the server; an upgrade can change default behavior (e.g., from permit-all to deny-all), requiring updated rules to allow previously permitted commands.

Why this answer

The TACACS+ server software upgrade likely changed the authorization model or the way commands are matched. The router sends the full command string to the TACACS+ server, and the server must have a matching rule. If the server's configuration now requires exact matching or has stricter parsing, previously allowed commands may be denied.

30
MCQmedium

An organization uses a Cisco ISE as the RADIUS server for both wired and wireless authentication. The network engineer configures a Cisco switch with 'aaa authentication dot1x default group radius' and 'aaa authorization network default group radius'. When a user connects via 802.1X, authentication succeeds, but the user is placed in the wrong VLAN. The RADIUS server sends a 'Tunnel-Private-Group-ID' attribute with the correct VLAN name. The switch has the VLAN defined. What is the most likely cause?

A.The switch interface is configured as a static access port, which overrides the RADIUS-supplied VLAN.
B.The RADIUS server is sending the VLAN ID as a number, but the switch expects a VLAN name.
C.The switch needs the 'radius-server attribute 8 include-in-access-req' command to include the calling station ID.
D.The switch's VLAN database does not have the VLAN created, so it defaults to the native VLAN.
AnswerA

Correct because if the interface has a static 'switchport access vlan' command, it takes precedence over the RADIUS-assigned VLAN. The interface should be configured as 'switchport access vlan dynamic' or have no static VLAN assignment to allow RADIUS to assign the VLAN.

Why this answer

The switch must be configured to accept and apply RADIUS-supplied VLAN attributes. This requires the 'aaa authorization network default group radius' command, which is already configured. However, the switch may also need the 'radius-server attribute 6 on-for-login-auth' or similar to map the attribute to a VLAN.

But the most common issue is that the switch's interface is not configured for 'authentication port-control auto' or the VLAN is not in the allowed list. However, the scenario says authentication succeeds, so the port is authorized. The likely cause is that the switch is not configured to use the RADIUS-supplied VLAN because the interface is not set to 'switchport access vlan dynamic' or the 'authentication' command is missing the 'vlan' assignment.

31
Multi-Selectmedium

Which two statements about AAA authentication methods are true? (Choose two.)

Select 2 answers
A.The local method for authentication uses the enable password for privilege level 15 access.
B.The enable method for authentication checks the local username database.
C.The none method for authentication provides fallback to the local database if the server is unreachable.
D.The login local method authenticates users against the local username database.
E.The line password method for authentication uses the enable secret password.
AnswersA, D

Correct because the local method authenticates using the enable password for privilege level 15 access.

Why this answer

The correct answers highlight key differences between local and server-based authentication. Option A is correct because the local method uses the enable password for privilege level 15 access. Option D is correct because the login local method authenticates against the local username database.

Option B is wrong because the enable method does not check the local database; it uses the enable password. Option C is wrong because the none method provides no authentication, not fallback. Option E is wrong because the line password method uses the password command under the line, not the enable password.

32
Drag & Dropmedium

Drag and drop the steps of AAA accounting for command logging setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

AAA accounting for commands requires first enabling AAA globally, then defining an accounting method list for commands. The method list is applied to a line (e.g., vty or console). The device then sends command logs to the accounting server, which records them.

33
MCQmedium

A network engineer is configuring a Cisco switch for 802.1X port-based authentication. The switch is configured with a RADIUS server for authentication. The engineer wants to allow devices that fail 802.1X authentication to still access a limited guest VLAN. The engineer configures 'authentication port-control auto' and 'authentication host-mode multi-host' on the interface. However, when a non-802.1X-capable device is connected, the port remains in the unauthorized state and does not fall into the guest VLAN. What is missing?

A.The interface needs the 'authentication guest-vlan <vlan-id>' command to specify the VLAN for non-802.1X devices.
B.The switch must have 'aaa authentication dot1x default group radius' configured globally.
C.The 'authentication host-mode multi-host' command should be replaced with 'authentication host-mode multi-domain' to support guest VLAN.
D.The port must be configured as a trunk port to allow the guest VLAN.
AnswerA

Correct because the guest VLAN is a separate configuration that tells the switch to place the port into a specific VLAN when authentication fails or times out.

Why this answer

For a port to move to a guest VLAN when authentication fails, the switch must be configured with a guest VLAN on that interface. The 'authentication port-control auto' enables 802.1X, but without a guest VLAN defined, the port stays unauthorized on failure.

34
Multi-Selectmedium

Which two statements about AAA authorization and accounting are true? (Choose two.)

Select 2 answers
A.Authorization determines what commands a user is allowed to execute after authentication.
B.Authorization ensures that all traffic between the client and server is encrypted.
C.Accounting is used to authenticate users based on their previous login history.
D.Accounting provides a record of user activities for auditing or billing purposes.
E.Authorization can only be based on the source IP address of the user.
AnswersA, D

Correct because authorization enforces policies on what resources or commands a user can access.

Why this answer

The correct answers describe the purpose of authorization and accounting. Option A is correct because authorization controls what commands or services a user can access. Option D is correct because accounting records user activity for auditing and billing.

Option B is wrong because authorization does not encrypt traffic; encryption is a separate function. Option C is wrong because accounting does not authenticate users; it logs actions. Option E is wrong because authorization can be based on user or group attributes, not just the source IP.

35
MCQmedium

A network administrator checks the AAA configuration on a router: R1# show running-config | include aaa aaa new-model aaa authentication login default group radius local aaa authentication login console local aaa authorization exec default group tacacs+ local aaa accounting exec default start-stop group radius Based on this output, what can be concluded?

A.Console login uses RADIUS authentication.
B.EXEC authorization uses TACACS+ as the primary method.
C.Accounting is performed using TACACS+.
D.Local authentication is never used.
AnswerB

The command 'aaa authorization exec default group tacacs+ local' shows TACACS+ is tried first.

Why this answer

The configuration shows AAA is enabled. For login authentication, the default method list uses RADIUS first, then local. The console uses local authentication only.

For EXEC authorization, TACACS+ is used first, then local. Accounting is configured for EXEC sessions using RADIUS.

36
Drag & Dropmedium

Drag and drop the steps of TACACS+ command authorization flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

TACACS+ command authorization starts with the user entering a command, which is sent to the TACACS+ server. The server checks the command against the user's authorization profile and responds with permit or deny. The device executes or blocks the command accordingly, and finally logs the result.

37
Drag & Dropmedium

Drag and drop the steps of the TACACS+ authentication process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

TACACS+ uses TCP and encrypts the entire packet. It separates authentication, authorization, and accounting. The server sends a GETUSERNAME prompt first, then GETPASSWORD, and finally an ACCEPT or REJECT.

38
MCQhard

A network engineer is configuring a Cisco router to use TACACS+ for command authorization. The engineer configures 'aaa authorization commands 15 default group tacacs+ local'. When a user with privilege level 15 tries to execute the 'reload' command, the router sends an authorization request to the TACACS+ server. The server responds with an 'Access-Accept' but the command is still denied. The engineer checks the router's configuration and sees that 'aaa accounting commands 15 default start-stop group tacacs+' is also configured. What could be the issue?

A.The TACACS+ server's 'Access-Accept' response does not include the necessary authorization attributes to permit the 'reload' command, so the router denies it.
B.The 'aaa accounting commands 15' command is causing the router to send accounting records before authorization, which delays the response and causes a timeout.
C.The router's 'aaa authorization commands 15' should use 'group tacacs+' without 'local' to ensure only TACACS+ is used.
D.The user's privilege level on the router is not actually 15, despite the configuration.
AnswerA

Correct because TACACS+ command authorization requires the server to explicitly permit each command or use a 'permit all' attribute; an 'Access-Accept' without proper attributes results in denial.

Why this answer

The TACACS+ server response for command authorization includes attributes that specify which commands are allowed. If the server responds with an 'Access-Accept' but does not include the necessary authorization data (e.g., a list of permitted commands or a 'permit all' attribute), the router may deny the command. Alternatively, the accounting configuration might be interfering, but that is less likely.

The most common cause is that the TACACS+ server's response does not include the required authorization information for the specific command.

39
Matchinghard

Drag and drop each AAA method list type on the left to its correct fallback order (from first to last) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

local, line

enable, none

local, none

local, if-authenticated

local, none

Why these pairings

The default method list for login authentication tries local first, then fallback to line password. The default for enable authentication uses enable password, then none. The default for PPP authentication uses local, then none.

The default for command authorization uses local, then if-authenticated. The default for exec authorization uses local, then none.

40
Drag & Dropmedium

Drag and drop the steps of ISE RADIUS policy evaluation order into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Cisco ISE evaluates RADIUS policies in a specific order: first it checks authentication policies, then authorization policies (including exception policies), and finally applies the matched authorization profile. If no match, the default deny policy applies.

41
MCQhard

A network engineer is configuring a Cisco router to use TACACS+ for authentication and authorization of EXEC sessions. The engineer configures 'aaa new-model', 'aaa authentication login default group tacacs+ local', and 'aaa authorization exec default group tacacs+ local'. When a user tries to log in via SSH, the router prompts for username and password, but after entering correct credentials, the user is immediately disconnected. The TACACS+ server logs show that the authentication was successful. What is the most likely cause?

A.The TACACS+ server is not configured to authorize the user for EXEC access, so it sends a 'deny' response, causing the router to disconnect the user.
B.The 'aaa authorization exec' command should be 'aaa authorization commands 15' to allow the user to execute commands after login.
C.The router's SSH configuration is missing the 'ip ssh authentication-retries' command.
D.The 'local' fallback in the authorization command is overriding the TACACS+ response.
AnswerA

Correct because TACACS+ authorization for EXEC determines whether the user is allowed to start a shell; if the server denies, the router disconnects even though authentication succeeded.

Why this answer

The user is authenticated successfully, but the authorization for EXEC (shell) is failing. The 'aaa authorization exec default group tacacs+ local' command means the router will first try TACACS+ for EXEC authorization; if TACACS+ does not respond, it falls back to local. However, if TACACS+ responds with a deny for EXEC authorization, the user is denied access and disconnected.

The TACACS+ server may not have a shell profile for the user, or the authorization rule denies EXEC access.

42
MCQmedium

Which statement correctly describes the difference between RADIUS and TACACS+?

A.RADIUS encrypts the entire packet; TACACS+ encrypts only the password.
B.RADIUS encrypts only the password; TACACS+ encrypts the entire packet body.
C.Both protocols encrypt the entire packet.
D.Neither protocol encrypts any part of the packet.
AnswerB

Correct. RADIUS encrypts only the password attribute, while TACACS+ encrypts the entire payload.

Why this answer

RADIUS encrypts only the password in the access-request packet, while TACACS+ encrypts the entire packet body (excluding the header). This is a key security difference.

43
MCQeasy

A network engineer is configuring a Cisco router for AAA using a RADIUS server. The engineer wants to ensure that if the RADIUS server is unreachable, the router falls back to local authentication for console access. The engineer configures 'aaa authentication login default group radius local' and 'aaa authentication login CONSOLE local'. The console line is configured with 'login authentication CONSOLE'. However, when the RADIUS server is down, the engineer cannot log in via the console. What is the problem?

A.The router has no local usernames configured, so the 'local' method has no users to authenticate against.
B.The 'aaa authentication login CONSOLE local' command should be 'aaa authentication login CONSOLE group radius local' to include RADIUS as a fallback.
C.The console line should use the default authentication list instead of a named list.
D.The 'aaa new-model' command is missing, so AAA is not enabled.
AnswerA

Correct because 'local' authentication uses the local username database; if no usernames are configured, authentication fails.

Why this answer

The console line is configured to use the 'CONSOLE' method list, which only has 'local' as the method. This is correct for fallback. However, the issue might be that the local database has no users defined, or the 'local' method is not working because the 'username' command is missing.

But the scenario says the engineer cannot log in, implying that local authentication is failing. The most likely cause is that no local usernames are configured on the router.

44
Drag & Dropmedium

Drag and drop the steps of AAA accounting for command logging setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

To log commands via AAA accounting, you first enable AAA globally, then configure the accounting method list for exec or commands, apply it to the desired lines, and finally verify that commands are being sent to the accounting server.

45
MCQmedium

A network administrator issues the following command on a Cisco switch: Switch# show aaa servers RADIUS: id 1, priority 1, host 192.168.1.10, auth-port 1812, acct-port 1813 State: current UP, duration 3600s, previous duration 0s Dead: total 0, retransmit 0 RADIUS: id 2, priority 2, host 192.168.1.20, auth-port 1812, acct-port 1813 State: current UP, duration 100s, previous duration 300s Dead: total 3, retransmit 2 Based on this output, what can be concluded?

A.Both RADIUS servers are currently unreachable.
B.Server 192.168.1.20 has a history of failures.
C.Server 192.168.1.10 is the backup server.
D.TACACS+ is also configured on these servers.
AnswerB

The dead total of 3 and retransmit count of 2 indicate previous failures.

Why this answer

The output shows two RADIUS servers. Server 192.168.1.10 has been up for 3600 seconds with no dead events. Server 192.168.1.20 has been up for only 100 seconds, has experienced 3 dead events and 2 retransmissions, indicating it has been unreliable.

The 'previous duration' of 300s for server 2 suggests it was previously up for 300s before going dead.

46
Matchingmedium

Drag and drop each TACACS+ packet type on the left to its correct function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Initiates an authentication session from the client to the server

Sent by the server to the client, carrying prompts or authentication results

Sent by the client to the server with the user's response to a prompt

Used for authorization requests and responses

Used for accounting start, stop, and interim records

Why these pairings

TACACS+ uses START to initiate authentication, REPLY to respond with prompts or success/failure, CONTINUE to send user responses, and also has special types for authorization and accounting.

47
MCQhard

A network engineer checks the AAA server status: R1# show aaa servers RADIUS: id 1, priority 1, host 10.1.1.10, auth-port 1812, acct-port 1813 State: current DEAD, duration 0s, previous duration 500s Dead: total 1, retransmit 3 RADIUS: id 2, priority 2, host 10.1.1.20, auth-port 1812, acct-port 1813 State: current UP, duration 200s, previous duration 0s Dead: total 0, retransmit 0 Based on this output, what can be concluded?

A.Both RADIUS servers are operational.
B.The backup server is currently handling authentication.
C.The primary server has never failed before.
D.TACACS+ is also configured on these servers.
AnswerB

The primary is dead, so the backup (UP) is being used.

Why this answer

The primary RADIUS server (10.1.1.10) is currently DEAD with 1 dead event and 3 retransmissions. The backup server (10.1.1.20) is UP and has been for 200 seconds. This indicates the primary server failed and the backup is now handling requests.

48
MCQhard

A company is deploying a new Cisco wireless LAN controller (WLC) and wants to use RADIUS for authenticating wireless users. The WLC is configured with the RADIUS server IP, shared secret, and authentication port 1812. However, users are unable to authenticate. The network engineer checks the RADIUS server logs and sees that the server is receiving authentication requests from the WLC but is responding with an 'Access-Reject' message. The WLC logs show 'RADIUS server not responding' for the same server. What is the most likely cause?

A.The RADIUS server is configured to use a different source IP address for RADIUS responses than the IP address configured on the WLC, causing the WLC to drop the responses.
B.The WLC is configured with the wrong authentication port; RADIUS uses port 1645, not 1812.
C.The WLC's RADIUS server configuration has the wrong shared secret, causing the server to reject requests.
D.The WLC is not configured with a valid management interface IP address to reach the RADIUS server.
AnswerA

Correct because the WLC typically expects RADIUS responses to come from the same IP address as the configured server; if the server uses a different source IP (e.g., a loopback or secondary IP), the WLC may not recognize the response and logs 'server not responding'.

Why this answer

The WLC is interpreting the 'Access-Reject' as a non-response because the RADIUS server is using a different source port for the response, or the WLC is not configured to accept responses from the server's source IP. However, the most common cause is that the RADIUS server is sending the response from a different IP address than the one configured on the WLC, or the WLC has a mismatch in the shared secret. But since the server logs show requests are received and rejected, the shared secret is likely correct.

The issue is that the WLC might be expecting the response on a different port or from a different IP, but the scenario says 'RADIUS server not responding' which typically means the WLC did not receive a response. This could be due to the RADIUS server sending the response from a different source IP (e.g., a secondary IP) than the one configured on the WLC, or a firewall blocking the response. However, the most plausible cause is that the RADIUS server is configured to use a different source IP for RADIUS traffic than the one the WLC expects.

49
Drag & Dropmedium

Drag and drop the steps of ISE RADIUS policy evaluation order into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Cisco ISE evaluates RADIUS policies in a specific order: first authentication policies, then authorization policies (based on conditions), and finally the default rule if no match is found. This ensures proper access control.

50
Drag & Dropmedium

Drag and drop the steps of the RADIUS authentication process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

RADIUS uses UDP and encrypts only the password in the Access-Request. The server checks credentials and responds with Access-Accept or Access-Reject. Accounting-Start is sent after authentication succeeds.

51
MCQeasy

What is the purpose of the 'aaa authorization exec default local' command?

A.It authenticates users for exec access using the local database.
B.It authorizes exec sessions using the local database, determining if a user can start a shell and their privilege level.
C.It enables accounting for exec commands to the local database.
D.It sets the privilege level for all users to 15.
AnswerB

Correct. Authorization controls what a user is allowed to do after authentication.

Why this answer

This command authorizes exec (shell) sessions using the local user database. It determines whether a user is allowed to start an exec session and what privilege level they receive.

52
Multi-Selecteasy

Which two statements about local AAA and fallback methods are true? (Choose two.)

Select 2 answers
A.Local AAA authentication uses the username and password configured in the running configuration.
B.The 'aaa authentication login default local' command configures the device to use a RADIUS server first, then fall back to local.
C.When using a RADIUS server group, if the primary server fails to respond, the device automatically tries the next server in the group.
D.The 'aaa new-model' command is required only when using TACACS+ servers.
E.Fallback to local authentication occurs only if all remote servers explicitly reject the authentication request.
AnswersA, C

Correct because local authentication relies on the username/password stored on the device.

Why this answer

Local AAA uses the device's local database for authentication. Fallback methods define the order of servers to try. If all servers are unreachable, the local database can be used as a backup.

The 'aaa authentication login default local' command uses the local database only. The 'aaa new-model' command enables AAA globally.

53
MCQmedium

Given this configuration: aaa new-model aaa authentication login default group radius aaa authorization exec default group radius aaa accounting exec default start-stop group radius radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key radiuskey radius-server host 192.168.1.2 auth-port 1645 acct-port 1646 key radiuskey Which statement is true about the RADIUS server ports?

A.The RADIUS authentication port is 1645 and accounting port is 1646.
B.The RADIUS authentication port is 1812 and accounting port is 1813.
C.The RADIUS authentication port is 1646 and accounting port is 1645.
D.The RADIUS ports are not configurable; this command will be rejected.
AnswerA

Correct. The 'auth-port' and 'acct-port' keywords explicitly set these ports.

Why this answer

RADIUS traditionally uses UDP port 1812 for authentication and 1813 for accounting, but older implementations use 1645 and 1646. The configuration explicitly sets these ports, which is valid but non-standard.

54
Drag & Dropmedium

Drag and drop the steps of RADIUS CoA (Change of Authorization) message flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

RADIUS CoA allows a server to dynamically change a session's authorization. The server sends a CoA-Request to the network access server (NAS). The NAS acknowledges with CoA-ACK and applies the new policy.

If the session is affected, the NAS may send a disconnect or re-authenticate.

55
Drag & Dropmedium

Drag and drop the steps of configuring AAA on a Cisco IOS device into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

AAA configuration requires first enabling AAA globally, then defining the authentication method list, applying it to login, and optionally specifying a fallback method like local. Finally, verify with debug commands.

56
MCQmedium

A network engineer checks AAA accounting on a router: R1# show aaa accounting Accounting method list 'default': Type: exec Start-stop: group radius Accounting records: Total started: 10 Total stopped: 8 Total failed: 2 Last record: user 'admin', start time 00:01:00 UTC Mar 1 2023 Based on this output, what can be concluded?

A.All accounting records were successfully sent.
B.Accounting is configured for EXEC sessions using RADIUS.
C.Accounting is performed using TACACS+.
D.No users have logged in since accounting was enabled.
AnswerB

The output shows 'start-stop group radius' for exec type.

Why this answer

The output shows accounting statistics for EXEC sessions. Out of 10 started sessions, 8 were stopped, and 2 failed (likely due to server unreachability or errors). The last record is for user admin.

This indicates some accounting records were not successfully sent to the RADIUS server.

57
MCQhard

A network engineer runs the following debug on a router: R1# debug aaa authentication *Mar 1 00:01:23.456: AAA/BIND(00000001): Bind iplist *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Pick method list 'default' *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Method=RADIUS *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): RADIUS server 10.1.1.10:1812, timeout 5, retransmit 2 *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Sent username 'admin', password **** *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Received PASS response *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Pass Based on this output, what can be concluded?

A.Authentication failed due to incorrect password.
B.The router used TACACS+ for authentication.
C.The RADIUS server 10.1.1.10 authenticated the user successfully.
D.The user 'admin' was authenticated using local database.
AnswerC

The debug confirms a successful PASS response from the RADIUS server.

Why this answer

The debug output shows a successful AAA authentication using RADIUS. The router selected the default method list, used RADIUS as the first method, sent credentials to server 10.1.1.10, and received a PASS response. The 'Pass' message indicates authentication succeeded.

58
MCQhard

A network administrator runs the following debug on a router: R1# debug aaa authorization *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Processing author request for user 'jdoe' *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Method=TACACS+ *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): TACACS+ server 10.1.1.10:49, timeout 5 *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Sent author request *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Received PASS response *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Pass Based on this output, what can be concluded?

A.The user jdoe failed authorization.
B.Authorization was performed using RADIUS.
C.The TACACS+ server authorized the user successfully.
D.The user was authenticated but not authorized.
AnswerC

The debug confirms a PASS response from the TACACS+ server.

Why this answer

The debug shows a successful EXEC authorization using TACACS+. The router sent an authorization request for user jdoe to TACACS+ server 10.1.1.10 and received a PASS response. This indicates the user was authorized to access the EXEC shell.

Ready to test yourself?

Try a timed practice session using only Aaa Radius Tacacs questions.