CCNA 802.1X and TrustSec Questions

58 questions · 802.1X and TrustSec · All types, answers revealed

1
Drag & Dropmedium

Drag and drop the steps of the 802.1X EAP-TLS authentication exchange into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The 802.1X EAP-TLS process begins with the supplicant initiating an EAPoL-Start, then the authenticator requests identity. The supplicant responds with an EAP-Response/Identity, the authenticator forwards it to the RADIUS server, and the server requests the client certificate to start the TLS handshake.

2
Multi-Selecthard

Which three statements about Cisco TrustSec security group access control lists (SGACLs) are true? (Choose three.)

Select 3 answers
A.SGACLs define policies based on source and destination security group tags.
B.SGACLs are typically downloaded from the Cisco ISE policy server to network devices.
C.SGACLs are applied directly to switch ports using the ip access-group command.
D.SGACLs can be used to permit or deny traffic between different security groups.
E.SGACLs can rewrite the security group tag in the packet header.
AnswersA, B, D

Correct; SGACLs use SGTs to determine access rights.

Why this answer

SGACLs are applied based on source and destination SGTs, they are downloaded from the Cisco ISE, and they can be used to permit or deny traffic. Option A is correct because SGACLs are policy rules based on SGTs. Option B is correct because ISE distributes SGACLs to network devices.

Option D is correct because SGACLs enforce permit/deny decisions. Option C is incorrect because SGACLs are not applied to interfaces like traditional ACLs; they are applied to SGT pairs. Option E is incorrect because SGACLs do not modify packets; they just enforce policy.

3
MCQmedium

A network engineer runs the following command on switch SW3: SW3# show cts role-based permissions IPv4 Role-based permissions: Source Group Dest Group Action 10 20 PERMIT 10 30 DENY 20 30 PERMIT Based on this output, what can be concluded?

A.Traffic from SGT 10 to SGT 20 is denied.
B.Traffic from SGT 10 to SGT 30 is permitted.
C.Traffic from SGT 20 to SGT 30 is permitted.
D.Traffic from SGT 30 to SGT 10 is denied.
AnswerC

The output shows PERMIT for source 20 to dest 30.

Why this answer

The output shows the role-based access control policies between SGTs. Traffic from SGT 10 to SGT 20 is permitted, from SGT 10 to SGT 30 is denied, and from SGT 20 to SGT 30 is permitted. This is a key part of TrustSec policy enforcement.

4
MCQmedium

An organization is implementing 802.1X for wireless users using Cisco ISE as the RADIUS server. The network engineer configures the wireless LAN controller (WLC) with 802.1X authentication. Users report that they can connect to the SSID but cannot access any network resources. The engineer checks the WLC and sees that users are authenticated and assigned to VLAN 100. The engineer also checks the switchport connecting the WLC and sees it is a trunk. What is the most likely issue?

A.The RADIUS server is not sending the correct VLAN ID in the Access-Accept.
B.The switch trunk port does not have VLAN 100 allowed.
C.The WLC is not configured for 802.1X on the uplink to the switch.
D.The users' devices are not configured for MAB.
AnswerB

Correct because the WLC sends tagged traffic on VLAN 100, and the trunk must permit it.

Why this answer

When using 802.1X with WLC, the WLC typically uses VLAN tagging. If the WLC is configured to tag traffic from the SSID with a specific VLAN, the switch trunk must allow that VLAN. Option B is correct because if VLAN 100 is not allowed on the trunk, traffic will be dropped.

Option A is incorrect because the users are authenticated, so the RADIUS server is working. Option C is incorrect because the WLC does not need 802.1X on the uplink. Option D is incorrect because the WLC does not use MAB for wireless.

5
Matchingmedium

Drag and drop each TrustSec component on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

16-bit security tag embedded in Ethernet or IP packets

Access control list based on source and destination SGT

Protocol to propagate SGT bindings between network devices

IEEE 802.1AE encryption for point-to-point links

Cisco TrustSec architecture that combines SGT, SGACL, and MACsec

Why these pairings

SGT tags traffic, SGACL enforces policy, SXP propagates SGTs, and MACsec encrypts at Layer 2.

6
MCQhard

A network engineer runs the following command on switch SW4: SW4# show cts environment-data CTS Environment Data: Device ID: SW4.cisco.com Device Name: SW4 CTS Capabilities: SGT, SXP, CTSD, CTSA SGT: 100 SXP Node: Enabled SXP Connection: 10.1.1.1:64999 Based on this output, what can be concluded?

A.The switch is using 802.1X for authentication.
B.The switch has an SXP connection to a peer at 10.1.1.1.
C.The switch's SGT is 10.
D.The switch is not capable of SGT assignment.
AnswerB

The output shows SXP Node enabled and an SXP connection to 10.1.1.1:64999.

Why this answer

The output shows the switch's CTS environment data, including its own SGT (100) and that SXP (SGT Exchange Protocol) is enabled with a connection to 10.1.1.1 on port 64999. This indicates the switch is participating in SXP to propagate SGT mappings.

7
MCQmedium

Examine the following configuration snippet: interface GigabitEthernet1/0/2 switchport mode access authentication port-control auto mab dot1x pae authenticator dot1x timeout tx-period 10 Which statement about this configuration is true?

A.MAB will be attempted first, and if it fails, 802.1X will be used.
B.802.1X will be attempted first; if the client does not respond, MAB will be used as a fallback.
C.The port will be placed in a guest VLAN if both 802.1X and MAB fail.
D.The switch will act as a supplicant for MAB and an authenticator for 802.1X.
AnswerB

The switch tries 802.1X first; if no EAPOL is received, it falls back to MAB.

Why this answer

This configuration enables both 802.1X and MAB (MAC Authentication Bypass) on the interface. MAB is used as a fallback if the connected device does not support 802.1X. The switch acts as an authenticator.

8
Matchingmedium

Drag and drop each EAP method on the left to its matching authentication type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Mutual certificate-based authentication

Server-side certificate with MSCHAPv2 inner method

Protected Access Credential (PAC) for secure tunneling

Simple username and password hash (no mutual authentication)

Generic Token Card for one-time password or certificate

Why these pairings

EAP-TLS uses certificates, PEAP uses server certificate with inner MSCHAPv2, EAP-FAST uses a PAC, and EAP-MD5 uses simple password hash.

9
Drag & Dropmedium

Drag and drop the steps of Cisco TrustSec inline tagging across fabric into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

TrustSec inline tagging starts with the ingress switch classifying traffic and adding an SGT to the frame, then forwarding it across the fabric, the egress switch reading the SGT, matching it to an SGACL, and finally enforcing the permit/deny decision.

10
Matchingmedium

Drag and drop each ISE policy result on the left to its matching enforcement action on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Downloadable ACL applied to the port after authentication

Assigns the endpoint to a specific VLAN ID

Tags the endpoint with a security group tag for TrustSec

Sets the maximum time before re-authentication is required

Forces HTTP traffic to a captive portal or compliance page

Why these pairings

DACL filters traffic, VLAN assignment places the endpoint, and SGT tagging applies a security group tag.

11
MCQmedium

A network engineer runs the following command on switch SW9: SW9# show cts role-based policy Role-based policy: Source Group Dest Group Action 10 20 PERMIT 10 30 DENY 20 30 PERMIT Based on this output, what can be concluded?

A.Traffic from SGT 10 to SGT 20 is denied.
B.Traffic from SGT 20 to SGT 30 is permitted.
C.Traffic from SGT 30 to SGT 10 is denied.
D.The policy is configured on an ISE server.
AnswerB

The action for source 20 to dest 30 is PERMIT.

Why this answer

The output shows the role-based policy table. It lists the source and destination SGTs and the action (PERMIT or DENY). This is the policy that the switch enforces for traffic between SGTs.

12
Drag & Dropmedium

Drag and drop the steps of IBNS 2.0 concurrent authentication policy map into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IBNS 2.0 uses a policy map that first triggers 802.1X, then if that fails, concurrently tries MAB and web authentication, evaluates the first successful method, and finally applies the corresponding authorization result.

13
MCQmedium

A network engineer is deploying 802.1X on a Cisco switch for a mixed environment of Windows laptops and IP phones. The engineer configures the switchport with 'authentication port-control auto' and 'dot1x pae authenticator'. After connecting a Windows laptop, the switch logs show 'Authentication failed' for the laptop. The engineer verifies that the RADIUS server is reachable and the laptop's supplicant is configured correctly. What is the most likely cause of the authentication failure?

A.The switch lacks 'aaa new-model' configuration.
B.The switch is not configured to send EAP-Request/Identity packets; the 'dot1x timeout tx-period' is too long or missing.
C.The switchport is configured as 'switchport mode trunk' instead of 'switchport mode access'.
D.The RADIUS server is not configured with the correct shared secret.
AnswerB

Correct because without proper EAP initiation, the supplicant may not respond, leading to authentication failure.

Why this answer

The scenario describes a common issue where 802.1X is configured but the switch is not sending EAP requests because it is waiting for a trigger. Without 'dot1x timeout tx-period', the switch sends EAP-Request/Identity only once every 30 seconds by default. The laptop's supplicant may not initiate the process if it doesn't receive a prompt.

Option B is correct because the switch must be configured to send EAP requests to start the authentication. Option A is incorrect because 'aaa new-model' is required for AAA but not the direct cause of the failure. Option C is incorrect because the switchport mode is not specified; 'switchport mode access' is typical but not the issue.

Option D is incorrect because the RADIUS server is reachable per the engineer's verification.

14
MCQhard

A network engineer is implementing Cisco TrustSec (CTS) with Security Group Tags (SGTs) using SXP (SGT Exchange Protocol). The engineer configures the switch as an SXP speaker and the Cisco ISE as an SXP listener. The engineer verifies that SXP peers are established. However, when the engineer checks 'show cts role-based sgt map', the SGT mappings for users are not present. What is the most likely cause?

A.The SXP version mismatch between the switch and ISE.
B.The switch is not configured to assign SGTs to users via 802.1X or static mapping.
C.The ISE is configured as an SXP speaker instead of a listener.
D.The SXP connection is using the wrong TCP port.
AnswerB

Correct because SXP propagates existing SGTs; if the switch has no mappings, nothing is sent.

Why this answer

SXP propagates SGTs from a speaker to a listener. If the switch is the speaker, it must have SGT mappings from authentication. If the switch does not have the mappings, it cannot propagate them.

Option B is correct because the switch must first learn SGTs via 802.1X or manual configuration. Option A is incorrect because SXP does not require a specific version. Option C is incorrect because the listener is ISE, which is correct.

Option D is incorrect because the peers are established.

15
Multi-Selectmedium

Which two statements about 802.1X authentication process are true? (Choose two.)

Select 2 answers
A.The supplicant sends an EAPOL-Start frame to begin the authentication process.
B.The authenticator (switch) performs the actual authentication of the supplicant credentials.
C.The authentication server (RADIUS) sends an EAP-Success message after successful validation of credentials.
D.EAPOL frames are used only between the authentication server and the authenticator.
E.The authenticator places the port in the unauthorized state before authentication completes.
AnswersA, C

Correct because the supplicant (client) typically initiates 802.1X by sending an EAPOL-Start frame to the authenticator.

Why this answer

In 802.1X, the supplicant (client) initiates the session by sending an EAPOL-Start, or the authenticator (switch) can send an EAP-Request/Identity to prompt the client. The RADIUS server is the authentication server that validates credentials and sends an EAP-Success or EAP-Failure. The authenticator does not perform the actual authentication; it only relays EAP frames.

16
MCQmedium

A network engineer runs the following command on switch SW7: SW7# show authentication registrations Authentication Method Registrations: Method Priority Type dot1x 10 Interface mab 20 Interface webauth 30 Interface Based on this output, what can be concluded?

A.The switch will try MAB before 802.1X.
B.The switch will try 802.1X first, then MAB, then web authentication.
C.Web authentication is the primary method.
D.Only 802.1X is registered.
AnswerB

The priority order is dot1x (10), mab (20), webauth (30).

Why this answer

The output shows the registered authentication methods and their priorities. dot1x has priority 10, mab has 20, and webauth has 30. This means dot1x is tried first, then mab, then webauth. This is the typical fallback order.

17
Matchinghard

Drag and drop each TrustSec component on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

16-bit security group tag assigned to traffic

Access control list based on SGTs

Protocol to propagate SGTs across non-TrustSec devices

Layer 2 encryption for point-to-point links

Cisco TrustSec architecture framework

Why these pairings

SGT is the tag, SGACL is the policy, SXP propagates tags, MACsec encrypts the link.

18
MCQmedium

Consider the following configuration on a Cisco IOS-XE switch: interface GigabitEthernet1/0/1 switchport mode access authentication port-control auto dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast What is the effect of this configuration?

A.The port will immediately transition to forwarding state and then wait for authentication.
B.The switch will act as an 802.1X authenticator and the port will be unauthorized until a successful authentication.
C.The port will be placed in a VLAN assigned by the RADIUS server after authentication.
D.The switch will act as a supplicant and respond to EAP requests from an upstream authenticator.
AnswerB

The 'dot1x pae authenticator' sets the switch as authenticator, and 'authentication port-control auto' means the port is unauthorized until authentication succeeds.

Why this answer

This configuration enables 802.1X authentication on the interface with the authenticator role, sets the transmit period to 5 seconds, and enables PortFast to avoid STP delays. The 'authentication port-control auto' command puts the port in unauthorized state until authentication succeeds.

19
MCQeasy

What is the default quiet-period timer value in Cisco IOS 802.1X configuration?

A.30 seconds
B.60 seconds
C.120 seconds
D.10 seconds
AnswerB

The default quiet-period is 60 seconds.

Why this answer

The quiet-period timer defines the number of seconds the switch waits after a failed authentication attempt before re-initiating authentication. The default value is 60 seconds.

20
Matchingmedium

Drag and drop each EAP method on the left to its matching authentication type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Certificate-based mutual authentication

Tunneled authentication with MSCHAPv2

Protected Access Credential (PAC) based

Simple password hash (no server certificate)

Generic Token Card (one-time password)

Why these pairings

EAP-TLS uses certificates, PEAP uses tunneled MSCHAPv2, EAP-FAST uses PAC, EAP-MD5 uses simple password hash.

21
MCQhard

A network engineer runs the following command on switch SW6: SW6# show cts role-based counters Role-based counters: Source Group Dest Group Packets Sent Bytes Sent Packets Denied Bytes Denied 10 20 1500 120000 0 0 10 30 0 0 500 40000 Based on this output, what can be concluded?

A.Traffic from SGT 10 to SGT 20 is being denied.
B.Traffic from SGT 10 to SGT 30 is being permitted.
C.Traffic from SGT 10 to SGT 20 is being permitted, and traffic from SGT 10 to SGT 30 is being denied.
D.No traffic has been sent between any SGTs.
AnswerC

The counters confirm permit for 10->20 and deny for 10->30.

Why this answer

The output shows packet and byte counters for role-based policies. For source 10 to dest 20, 1500 packets were sent and none denied, indicating a permit policy. For source 10 to dest 30, 0 packets sent and 500 denied, indicating a deny policy.

This matches the permissions seen in a previous question.

22
Drag & Dropmedium

Drag and drop the steps of TrustSec SGT assignment and propagation via SXP into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

SXP propagates SGTs from a classification device to enforcement devices; first the SGT is assigned (e.g., via IP-to-SGT mapping), then SXP sends the binding to an SXP speaker, which forwards it to a listener, who adds it to the local SGT mapping table, enabling enforcement.

23
Drag & Dropmedium

Drag and drop the steps of ISE profiling-based dynamic ACL assignment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

ISE profiles endpoints by collecting attributes, then matches the profile to a policy, downloads a dACL to the switch, and the switch applies it to the port.

24
MCQmedium

A network engineer runs the following command on switch SW2: SW2# show cts role-based sgt-map Active IPv4-SGT Mapping Table: IP Address SGT 192.168.1.10 10 192.168.1.20 20 192.168.1.30 30 Total number of entries: 3 Based on this output, what can be concluded?

A.The switch is using 802.1X to assign SGTs to endpoints.
B.The switch has a static mapping of IP addresses to SGTs.
C.The switch maintains a mapping table that associates IP addresses with SGTs for TrustSec policy enforcement.
D.The switch is using MAB to assign SGTs to endpoints.
AnswerC

This is exactly what the show cts role-based sgt-map command displays.

Why this answer

The command shows the mapping of IP addresses to Security Group Tags (SGTs) in a TrustSec environment. Each IP is associated with a specific SGT value, which is used for role-based access control.

25
MCQhard

A network engineer is deploying 802.1X with Cisco ISE for a wired network. The engineer wants to use CoA (Change of Authorization) to dynamically change the VLAN of a user after authentication. The engineer configures the switch with 'aaa server radius dynamic-author' and the ISE with CoA settings. When the engineer tests CoA from ISE, the switch logs show 'CoA request received' but the VLAN does not change. What is the most likely cause?

A.The ISE is not configured with the correct shared secret for CoA.
B.The switch is missing the 'authentication command bounce-port' or 'authentication command disable-port' configuration.
C.The switch is not configured with 'dot1x pae authenticator' on the interface.
D.The switchport is configured as 'switchport mode trunk', which does not support VLAN changes via CoA.
AnswerB

Correct because these commands enable the switch to apply CoA actions like VLAN change.

Why this answer

CoA requires the switch to accept and process the request. The switch must have the 'authentication command bounce-port' or 'authentication command disable-port' configured to apply changes. Option B is correct because without this, the switch may acknowledge but not act.

Option A is incorrect because the switch received the request. Option C is incorrect because the RADIUS server is reachable. Option D is incorrect because the switchport mode does not prevent CoA.

26
MCQeasy

What is the default tx-period timer value in Cisco IOS 802.1X configuration?

A.3 seconds
B.10 seconds
C.30 seconds
D.60 seconds
AnswerC

The default tx-period is 30 seconds.

Why this answer

The tx-period timer defines the number of seconds the switch waits for a response to an EAP-Request/Identity packet before retransmitting. The default value is 30 seconds.

27
Multi-Selectmedium

Which two statements about 802.1X authentication with MAC Authentication Bypass (MAB) are true? (Choose two.)

Select 2 answers
A.MAB is used as a fallback authentication method for devices that do not support 802.1X.
B.MAB requires the supplicant to present a digital certificate for authentication.
C.In MAB, the switch sends the MAC address of the endpoint as the username and password to the RADIUS server.
D.MAB encrypts the MAC address using TLS before sending it to the RADIUS server.
E.MAB uses EAPoL to transport the MAC address between the switch and the endpoint.
AnswersA, C

Correct; MAB allows non-802.1X-capable devices to authenticate.

Why this answer

MAB is used as a fallback for devices that do not support 802.1X supplicant, and it uses the MAC address as the credential. Option A is correct because MAB is typically configured as a fallback method. Option C is correct because the MAC address is used as both username and password.

Option B is incorrect because MAB does not use certificates; that is for EAP-TLS. Option D is incorrect because MAB sends the MAC address in the clear, not encrypted. Option E is incorrect because MAB does not use EAPoL; it uses RADIUS with the MAC address.

28
MCQmedium

Consider this configuration for TrustSec on a Cisco switch: cts role-based enforcement interface GigabitEthernet1/0/5 cts manual sap pmk AABBCCDDEEFF00112233445566778899 mode-list both propagate sgt What is the purpose of the 'propagate sgt' command under the interface?

A.It allows the switch to receive SGT information from the connected device.
B.It enables the switch to insert SGT tags into packets forwarded out of this interface.
C.It enables the switch to enforce role-based access control on this interface.
D.It configures the interface to use SXP for SGT propagation.
AnswerB

The 'propagate sgt' command enables SGT insertion in packets leaving this interface.

Why this answer

The 'propagate sgt' command enables the switch to insert SGT information into packets received on this interface, allowing SGT propagation to downstream devices.

29
Drag & Dropmedium

Drag and drop the steps of MAB (MAC Authentication Bypass) fallback flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

MAB is used as a fallback when 802.1X fails; the switch detects the MAC, sends a RADIUS Access-Request, ISE checks the MAC database, returns an Access-Accept with a downloadable ACL, and the switch applies the ACL.

30
MCQmedium

Consider the following TrustSec configuration on a Cisco switch: cts role-based enforcement interface GigabitEthernet1/0/3 cts manual sap pmk 0123456789ABCDEF mode-list both What is the purpose of this configuration?

A.It enables 802.1X authentication with a pre-shared key.
B.It configures the interface to use SGT (Security Group Tag) propagation via SXP.
C.It enables CTS inline tagging with a pre-shared key for SGT exchange between peers.
D.It enables dynamic VLAN assignment based on user authentication.
AnswerC

The 'cts manual' with 'sap pmk' configures manual TrustSec with inline SGT tagging using a pre-shared key.

Why this answer

This enables CTS role-based enforcement globally and configures the interface for manual CTS with a pre-shared key (PMK) for SGT exchange. The 'mode-list both' allows both source and destination SGT enforcement.

31
MCQhard

A network engineer is deploying Cisco TrustSec (CTS) with Security Group Access Control Lists (SGACLs) on a campus network. The engineer configures the switch with 'cts role-based enforcement' and assigns SGTs to users via 802.1X. The engineer tests connectivity between a user in SGT 10 and a server in SGT 20. The SGACL permits traffic from SGT 10 to SGT 20, but the user cannot reach the server. The engineer checks 'show cts role-based sgt map' and sees that the user's SGT is 0. What is the most likely cause?

A.The RADIUS server is not configured to send the SGT in the Access-Accept message.
B.The SGACL is applied to the wrong interface.
C.The switch is not configured with 'cts role-based enforcement'.
D.The user's SGT is 0, which is a valid SGT that denies all traffic.
AnswerA

Correct because the SGT must be assigned by the RADIUS server during authentication.

Why this answer

SGT 0 is the default untagged SGT. If the user's SGT is 0, it means the switch did not receive the SGT from the RADIUS server during 802.1X authentication. Option A is correct because the RADIUS server must send the SGT in the Access-Accept message.

Option B is incorrect because SGACLs are applied per SGT, not per interface. Option C is incorrect because the switch is configured for enforcement. Option D is incorrect because SGT 0 is not a valid SGT for enforcement; the switch treats it as untagged.

32
MCQmedium

Examine the following configuration: aaa new-model aaa authentication dot1x default group radius dot1x system-auth-control interface GigabitEthernet1/0/4 switchport mode access authentication port-control auto dot1x pae authenticator dot1x timeout quiet-period 30 What is the effect of the 'dot1x timeout quiet-period 30' command?

A.The switch will wait 30 seconds before sending a new EAPOL-Start after a failed authentication.
B.The switch will wait 30 seconds for a response from the supplicant before timing out.
C.The switch will wait 30 seconds before placing the port in the unauthorized state after a link up event.
D.The switch will wait 30 seconds for the RADIUS server to respond before failing authentication.
AnswerA

The quiet-period timer controls the delay after a failure before the authenticator retries.

Why this answer

The quiet-period timer defines the number of seconds the switch waits after a failed authentication attempt before re-initiating authentication. The default is 60 seconds; here it is set to 30 seconds.

33
Multi-Selecthard

Which three statements about Cisco TrustSec (CTS) are true? (Choose three.)

Select 3 answers
A.Cisco TrustSec uses Security Group Tags (SGTs) to classify traffic based on user or device identity.
B.SGTs are typically assigned to IP addresses using a centralized SGT mapping database.
C.802.1X can be used as the authentication mechanism to dynamically assign an SGT to a supplicant.
D.Cisco TrustSec eliminates the need for all traditional ACLs in the network.
E.SGTs can be carried in the Ethernet frame header using Cisco's inline tagging method.
AnswersA, C, E

Correct because SGTs are 16-bit values that represent the security group of the source, enabling identity-based policy enforcement.

Why this answer

Cisco TrustSec uses SGTs for role-based access control, can use 802.1X for initial authentication, and supports dynamic SGT assignment via RADIUS. SGTs are not IP-based but are 16-bit tags. CTS does not replace all ACLs but augments them with SGT-based policies.

34
Matchingmedium

Drag and drop each authentication mode on the left to its matching behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Port allows traffic even before successful authentication

Port blocks all traffic until authentication succeeds

Port logs authentication results but does not enforce access

Only one device can authenticate per port

Allows one voice and one data device per port

Why these pairings

Open mode allows traffic before authentication, closed mode blocks all until authenticated, and monitor mode logs but does not block.

35
Multi-Selectmedium

Which two statements about 802.1X port states and access control are true? (Choose two.)

Select 2 answers
A.Before authentication, the switch port is in the unauthorized state and only allows EAPOL frames.
B.After successful 802.1X authentication, the port transitions to the authorized state and all traffic is permitted.
C.In multi-auth mode, the port becomes authorized for all devices once the first device authenticates successfully.
D.The port remains in the unauthorized state until the client sends data traffic.
E.802.1X can be configured on a Layer 3 interface to authenticate users before routing.
AnswersA, B

Correct because the unauthorized state blocks all traffic except EAPOL, which is necessary for the authentication process.

Why this answer

In 802.1X, the switch port starts in the unauthorized state, allowing only EAPOL traffic. After successful authentication, the port transitions to the authorized state, allowing normal traffic. Multi-auth mode allows multiple devices on the same port, each authenticated individually.

The port does not become fully authorized before the client sends traffic.

36
Matchingmedium

Drag and drop each 802.1X component on the left to its matching role on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Client device requesting network access

Network device that enforces port-based access control

RADIUS server that validates credentials and returns authorization attributes

Protocol used between supplicant and authenticator to carry EAP frames

Protocol used between authenticator and authentication server for AAA

Why these pairings

The supplicant requests access, the authenticator (switch/AP) enforces port control, and the authentication server (RADIUS) validates credentials.

37
Matchingmedium

Drag and drop each 802.1X component on the left to its matching role on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Client device that initiates authentication

Network device that controls port access

Server that validates credentials and grants access

Protocol used between Supplicant and Authenticator

Protocol used between Authenticator and Authentication Server

Why these pairings

Supplicant requests access, Authenticator enforces port state, Authentication Server validates credentials.

38
Drag & Dropmedium

Drag and drop the steps of IBNS 2.0 concurrent authentication policy map into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IBNS 2.0 uses a policy map to define concurrent methods; the switch first tries 802.1X, then MAB as fallback, and if both fail, applies a critical or default ACL; the order is defined in the policy map class.

39
MCQhard

A network engineer runs the following command on switch SW8: SW8# show cts role-based sgt-map 192.168.1.10 IP Address: 192.168.1.10 SGT: 10 Source: SXP Based on this output, what can be concluded?

A.The SGT mapping was configured manually.
B.The SGT mapping was learned via SXP from a peer.
C.The IP address 192.168.1.10 is not mapped to any SGT.
D.The SGT mapping is from local authentication.
AnswerB

The source field shows SXP.

Why this answer

The output shows the SGT for IP 192.168.1.10 is 10, and the source is SXP, meaning the mapping was learned via the SGT Exchange Protocol from an SXP peer. This is dynamic, not static.

40
Multi-Selectmedium

Which two statements about Cisco TrustSec security group tags (SGTs) are true? (Choose two.)

Select 2 answers
A.Security group tags are 16-bit values used to identify groups of users or devices.
B.Security group tags are equivalent to VLAN IDs and are used for Layer 2 segmentation.
C.Security group tags are assigned to endpoints by the RADIUS server during 802.1X authentication.
D.Security group tags can be propagated between network devices using the SXP protocol.
E.Security group tags are used to encrypt traffic between endpoints in the same group.
AnswersA, D

Correct because SGTs are 16-bit identifiers in Cisco TrustSec.

Why this answer

SGTs are 16-bit values used to classify traffic for policy enforcement, and they can be propagated via SXP or inline tagging. Option A is correct because SGTs are indeed 16-bit. Option D is correct because SXP is a common method for SGT propagation without hardware modification.

Option B is incorrect because SGTs are not VLAN IDs (VLANs use 12-bit IDs). Option C is incorrect because SGTs are not assigned by RADIUS during 802.1X authentication (that is for dACLs or VLAN assignment). Option E is incorrect because SGTs are not used for encryption; they are for policy enforcement.

41
MCQhard

An enterprise is implementing Cisco TrustSec (CTS) to enforce role-based access control. The network engineer configures the switch with 'cts role-based enforcement' and 'cts manual' on an interface connecting to a trusted Cisco switch. The engineer also configures Security Group Tags (SGTs) on the RADIUS server. However, traffic between two hosts in different SGTs is not being filtered as expected. The engineer checks 'show cts role-based counters' and sees no drops. What is the most likely reason for the lack of enforcement?

A.The switch is not configured for 802.1X on the interface.
B.The 'cts manual' command is incorrect; 'cts dot1x' should be used instead.
C.The SGTs are not being propagated to the switch; the switch lacks SGT mappings for the hosts.
D.The 'show cts role-based counters' command shows no drops, indicating the ACLs are not configured.
AnswerC

Correct because without SGTs, the switch cannot enforce role-based policies.

Why this answer

CTS role-based enforcement requires SGTs to be assigned to packets. If the switch does not have SGT information for the source or destination, it cannot enforce policies. Option C is correct because without SGTs, the switch treats traffic as untagged and does not apply SGACLs.

Option A is incorrect because CTS does not require 802.1X; it can use manual or SXP. Option B is incorrect because 'cts manual' is a valid configuration for trusted interfaces. Option D is incorrect because 'show cts role-based counters' shows drops only if enforcement is active; no drops indicate no enforcement.

42
MCQmedium

In Cisco TrustSec, which component is responsible for assigning a Security Group Tag (SGT) to a user or device based on authentication?

A.The RADIUS server (ISE) assigns the SGT during authentication.
B.The switch dynamically assigns the SGT based on the MAC address.
C.The endpoint device sends its SGT in the EAPOL-Start message.
D.The SGT is derived from the VLAN ID assigned to the port.
AnswerA

ISE authenticates the endpoint and returns the SGT in the RADIUS Access-Accept message.

Why this answer

The Identity Services Engine (ISE) acts as the policy decision point, authenticating users/devices and assigning SGTs based on policy. The switch enforces based on the SGT.

43
Drag & Dropmedium

Drag and drop the steps of Cisco TrustSec inline tagging across fabric into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Inline tagging embeds SGT in the Ethernet frame header; the ingress switch classifies the endpoint, adds the SGT tag, forwards the frame across the fabric, and the egress switch enforces policy based on the tag.

44
Drag & Dropmedium

Drag and drop the steps of TrustSec SGT classification and enforcement into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

TrustSec first classifies traffic by assigning an SGT based on user/device identity, then the switch tags packets with the SGT. The packet is forwarded with the SGT intact, and the destination switch enforces policy by checking the SGT against an SGACL. Finally, the destination switch permits or denies traffic based on the SGACL.

45
Matchingmedium

Drag and drop each authentication mode on the left to its matching behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Allows traffic before authentication completes

Blocks all traffic until authentication succeeds

Permits traffic but logs authentication failures

Allows traffic when RADIUS server is unreachable

Supports one voice and one data device per port

Why these pairings

Open mode allows traffic before authentication, closed mode blocks until success, monitor mode logs but does not enforce.

46
MCQmedium

A network engineer runs the following command on switch SW5: SW5# show cts sxp connections SXP Connections: Peer IP Source IP Conn Status Duration 10.1.1.1 10.1.1.2 Up 2d3h 10.1.1.3 10.1.1.2 Down 0d0h Based on this output, what can be concluded?

A.Both SXP connections are operational.
B.The SXP connection to 10.1.1.1 has been up for 2 days and 3 hours.
C.The switch is using 802.1X for authentication.
D.The SXP connection to 10.1.1.3 is up.
AnswerB

The output shows Up and duration 2d3h for peer 10.1.1.1.

Why this answer

The output shows SXP connections. One connection to 10.1.1.1 is up for 2 days and 3 hours, while another to 10.1.1.3 is down. This indicates that SGT mapping exchange is active with 10.1.1.1 but not with 10.1.1.3.

47
MCQmedium

A network engineer is configuring 802.1X on a Cisco Catalyst 9300 switch for a wired network. The engineer wants to allow devices that do not support 802.1X (e.g., printers) to still access the network using MAB (MAC Authentication Bypass). The engineer configures the interface with 'authentication port-control auto', 'dot1x pae authenticator', and 'mab'. However, after connecting a printer, the switch logs show 'MAB failed' repeatedly. The printer's MAC address is in the RADIUS server database. What is the most likely cause?

A.The RADIUS server is not configured to accept MAC addresses in the format sent by the switch (e.g., with dots or colons).
B.The switch is not configured with 'dot1x timeout tx-period' to initiate MAB.
C.The interface is configured as 'switchport mode trunk', which does not support MAB.
D.The printer is not responding to EAP-Request/Identity packets.
AnswerA

Correct because MAB uses the MAC address as credentials; format mismatch causes failure.

Why this answer

MAB requires the switch to send a MAC address as the username and password. If the RADIUS server does not accept the format, authentication fails. Option A is correct because the RADIUS server must be configured to accept MAC addresses in the format sent by the switch (e.g., 'aaaa.bbbb.cccc').

Option B is incorrect because MAB does not require EAP. Option C is incorrect because the switchport mode does not affect MAB. Option D is incorrect because the printer does not support 802.1X, so it cannot respond to EAP.

48
Multi-Selecthard

Which three statements about Cisco TrustSec SGT propagation and enforcement are true? (Choose three.)

Select 3 answers
A.SGTs can be propagated between network devices using the SXP protocol over a TCP connection.
B.Inline tagging inserts the SGT into the Ethernet frame header between the source and destination MAC addresses.
C.The enforcement device uses the SGT to make forwarding decisions based on the destination IP address.
D.When a packet traverses a TrustSec domain, the SGT can be rewritten by intermediate devices.
E.SGTs allow the enforcement of security policies based on the identity of the source, regardless of IP address.
AnswersA, B, E

Correct because SXP (SGT Exchange Protocol) uses TCP (port 64999) to exchange SGT-to-IP mappings between devices that do not support inline tagging.

Why this answer

SGTs can be propagated via SXP (a TCP-based protocol) or inline tagging. SXP uses a TCP connection to exchange SGT-to-IP mappings. Inline tagging inserts the SGT into the Ethernet frame.

The enforcement device (e.g., a firewall or switch) uses the SGT to apply policy, not to rewrite the tag. SGTs are not used for routing decisions.

49
Drag & Dropmedium

Drag and drop the steps of TrustSec SGT assignment and propagation via SXP into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

SGT propagation via SXP starts with ISE assigning an SGT to an endpoint, the access switch mapping IP-to-SGT, then the SXP speaker sending that mapping to an SXP listener, which updates its local SGT cache, and finally the listener uses the SGT for policy enforcement.

50
Drag & Dropmedium

Drag and drop the steps of ISE profiling-based dynamic ACL assignment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

ISE profiling identifies the device type via DHCP/HTTP probes, matches it to a profile, then ISE downloads a dynamic ACL to the switch, which applies it to the port, and finally the switch enforces the ACL on traffic from that endpoint.

51
MCQmedium

A network engineer is configuring 802.1X on a Cisco switch for a voice VLAN deployment. The switchport is connected to an IP phone, which then connects to a PC. The engineer configures the interface with 'authentication port-control auto', 'dot1x pae authenticator', and 'switchport voice vlan 10'. The PC authenticates successfully, but the IP phone does not get an IP address from the voice VLAN. The engineer verifies that the phone is configured for 802.1X and the RADIUS server is correct. What is the most likely cause?

A.The IP phone does not support 802.1X and is not configured for MAB.
B.The switchport is missing 'switchport mode access' command.
C.The RADIUS server is not sending the voice VLAN ID in the Access-Accept.
D.The PC is using the voice VLAN instead of the data VLAN.
AnswerA

Correct because the phone must authenticate to be placed in the voice VLAN; if it fails, it may not get the voice VLAN.

Why this answer

In a voice VLAN deployment, the switch must be configured to authenticate the phone separately from the PC. The phone typically uses 802.1X or MAB. If the phone does not authenticate, it may be placed in the data VLAN or denied.

Option C is correct because the phone must authenticate to be placed in the voice VLAN. Option A is incorrect because the phone can use MAB. Option B is incorrect because the voice VLAN is configured.

Option D is incorrect because the PC's authentication does not affect the phone's VLAN.

52
MCQmedium

A network engineer runs the following command on switch SW1: SW1# show authentication sessions interface GigabitEthernet1/0/1 Interface: GigabitEthernet1/0/1 MAC Address: 0011.2233.4455 IP Address: 192.168.1.100 Status: Authz Success Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Common Session ID: 0A1B2C3D4E5F6G7H8I9J Acct Session ID: 0x0000000A Handle: 0x00000001 Current Method List: mab Method: MAB State: Authz Success Based on this output, what can be concluded?

A.The client authenticated using 802.1X with a username and password.
B.The client was authenticated based on its MAC address via MAB.
C.The port is in multi-domain mode, allowing one data and one voice device.
D.The session is for voice traffic because the domain is DATA.
AnswerB

The method is MAB and state is Authz Success, meaning MAC authentication succeeded.

Why this answer

The output shows the session status as 'Authz Success' and the method used is MAB (MAC Authentication Bypass). The host mode is multi-auth, meaning multiple devices can authenticate on the same port. The domain is DATA, indicating the session is for data traffic, not voice.

53
Matchinghard

Drag and drop each ISE policy result on the left to its matching enforcement action on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Downloadable ACL applied to the port

Assigns the endpoint to a specific VLAN

Assigns a security group tag to the session

Redirects HTTP traffic to a captive portal

Sets maximum duration for the authenticated session

Why these pairings

DACL filters traffic, VLAN assigns network segment, SGT tags traffic for TrustSec, URL redirect forces web authentication.

54
Drag & Dropmedium

Drag and drop the steps of MAB (MAC Authentication Bypass) fallback flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

MAB is a fallback method when 802.1X fails: the switch detects the host MAC, sends a RADIUS Access-Request with the MAC as username/password, ISE checks the MAC against its database, and then either grants access (placing the port in the authorized VLAN) or denies it.

55
MCQmedium

A network engineer is configuring 802.1X on a Cisco switch for a guest network. The engineer wants to allow guests to access the internet after authentication but restrict access to internal resources. The engineer configures the switch with 'authentication port-control auto' and a downloadable ACL (dACL) from the RADIUS server. After a guest authenticates, the engineer tests connectivity and finds that the guest can access internal servers. What is the most likely cause?

A.The switchport is configured as 'switchport mode trunk', which does not support dACLs.
B.The guest is not being authenticated; the switch is using MAB instead.
C.The switch is not configured with 'ip access-group' to apply the dACL.
D.The RADIUS server is not sending the dACL attributes in the Access-Accept message.
AnswerD

Correct because without dACL attributes, the switch applies no filter.

Why this answer

dACLs are applied to the port after authentication to filter traffic. If the dACL is not applied, the guest may have full access. Option D is correct because the RADIUS server must send the dACL name or attributes.

Option A is incorrect because the switchport mode does not affect dACL application. Option B is incorrect because the guest is authenticated. Option C is incorrect because the switch does not need a local ACL.

56
MCQmedium

Examine the following configuration on a Cisco IOS-XE switch: interface GigabitEthernet1/0/6 switchport mode access authentication port-control auto dot1x pae authenticator dot1x timeout tx-period 3 dot1x max-req 3 dot1x timeout supp-timeout 10 What is the total time the switch will wait for a supplicant to respond before failing authentication?

A.30 seconds
B.9 seconds
C.10 seconds
D.13 seconds
AnswerB

The switch sends 3 identity requests every 3 seconds, totaling 9 seconds before giving up.

Why this answer

The switch sends up to 'max-req' (3) EAP-Request/Identity packets, each with a 'tx-period' of 3 seconds. The total time is max-req * tx-period = 3 * 3 = 9 seconds. The 'supp-timeout' is for EAP packets after identity, but the initial identity timeout is governed by tx-period.

57
Multi-Selecthard

Which three statements about 802.1X port-based authentication are true? (Choose three.)

Select 3 answers
A.The supplicant communicates with the authenticator using EAP over LAN (EAPoL) frames.
B.The authenticator is typically a network switch or wireless access point.
C.The supplicant is the device that provides authentication services, such as a RADIUS server.
D.The authentication server is usually a RADIUS server that validates credentials.
E.802.1X is only supported on wireless networks and cannot be used on wired switches.
AnswersA, B, D

Correct; EAPoL is the encapsulation used for 802.1X on wired LANs.

Why this answer

802.1X uses EAP over LAN (EAPoL) for communication between supplicant and authenticator, the authenticator is typically a switch, and the authentication server is usually a RADIUS server. Option A is correct because EAPoL is the protocol used. Option B is correct because the switch acts as the authenticator.

Option D is correct because the authentication server is typically RADIUS. Option C is incorrect because the supplicant is the client, not the switch. Option E is incorrect because 802.1X can be used with both wired and wireless networks.

58
Drag & Dropmedium

Drag and drop the steps of 802.1X port authentication with MAB fallback into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The switch first attempts 802.1X by sending an EAP-Request/Identity. If no response is received, it initiates MAB by sending a RADIUS Access-Request with the MAC address. The RADIUS server checks the MAC against its database and responds with Access-Accept or Access-Reject.

The switch then opens or blocks the port accordingly.

Ready to test yourself?

Try a timed practice session using only 802.1X and TrustSec questions.