350-401 · topic practice

AAA, RADIUS, and TACACS+ practice questions

Practise ENCOR 350-401 AAA, RADIUS, and TACACS+ practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: AAA, RADIUS, and TACACS+

What the exam tests

What to know about AAA, RADIUS, and TACACS+

AAA, RADIUS, and TACACS+ questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common AAA, RADIUS, and TACACS+ exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

AAA, RADIUS, and TACACS+ questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Study the full AAA explanation →

A network engineer is configuring AAA on a Cisco ISR router to authenticate administrative users via a RADIUS server. The engineer configures the router with the command 'aaa new-model' and then 'aaa authentication login default group radius local'. When the engineer attempts to SSH to the router using a username that exists only on the RADIUS server, the authentication fails. The RADIUS server is reachable and the shared secret is correct. What is the most likely cause of the failure?

Question 2hardmultiple choice
Read the full wireless explanation →

An enterprise network uses TACACS+ for device administration and RADIUS for network access (VPN and wireless). The TACACS+ server is configured to authorize commands. A network engineer notices that after a recent upgrade of the TACACS+ server software, some commands that were previously authorized are now being denied. The engineer checks the router configuration and sees 'aaa authorization commands 15 default group tacacs+'. The TACACS+ server logs show that the authorization requests are being sent and responded to. What is the most likely cause?

Question 3mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is configuring a Cisco switch for 802.1X port-based authentication. The switch is configured with a RADIUS server for authentication. The engineer wants to allow devices that fail 802.1X authentication to still access a limited guest VLAN. The engineer configures 'authentication port-control auto' and 'authentication host-mode multi-host' on the interface. However, when a non-802.1X-capable device is connected, the port remains in the unauthorized state and does not fall into the guest VLAN. What is missing?

Question 4hardmultiple choice
Read the full wireless explanation →

A company is deploying a new Cisco wireless LAN controller (WLC) and wants to use RADIUS for authenticating wireless users. The WLC is configured with the RADIUS server IP, shared secret, and authentication port 1812. However, users are unable to authenticate. The network engineer checks the RADIUS server logs and sees that the server is receiving authentication requests from the WLC but is responding with an 'Access-Reject' message. The WLC logs show 'RADIUS server not responding' for the same server. What is the most likely cause?

Question 5hardmultiple choice
Study the full AAA explanation →

A network engineer is configuring a Cisco router to use TACACS+ for authentication and authorization of EXEC sessions. The engineer configures 'aaa new-model', 'aaa authentication login default group tacacs+ local', and 'aaa authorization exec default group tacacs+ local'. When a user tries to log in via SSH, the router prompts for username and password, but after entering correct credentials, the user is immediately disconnected. The TACACS+ server logs show that the authentication was successful. What is the most likely cause?

Question 6mediummultiple choice
Study the full AAA explanation →

A network engineer is configuring a Cisco switch for 802.1X with RADIUS authentication. The switch is also configured with 'aaa authentication dot1x default group radius'. The engineer wants to use a single RADIUS server for both authentication and accounting. The RADIUS server is configured with the same shared secret for both services. The engineer configures 'radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key cisco123'. However, accounting records are not being sent to the server. The engineer verifies that the RADIUS server is reachable and that accounting is enabled on the server. What is the most likely cause?

Question 7hardmultiple choice
Study the full AAA explanation →

A network engineer is configuring a Cisco router to use TACACS+ for command authorization. The engineer configures 'aaa authorization commands 15 default group tacacs+ local'. When a user with privilege level 15 tries to execute the 'reload' command, the router sends an authorization request to the TACACS+ server. The server responds with an 'Access-Accept' but the command is still denied. The engineer checks the router's configuration and sees that 'aaa accounting commands 15 default start-stop group tacacs+' is also configured. What could be the issue?

Question 8mediummultiple choice
Open the full VLAN trunking answer →

An organization uses a Cisco ISE as the RADIUS server for both wired and wireless authentication. The network engineer configures a Cisco switch with 'aaa authentication dot1x default group radius' and 'aaa authorization network default group radius'. When a user connects via 802.1X, authentication succeeds, but the user is placed in the wrong VLAN. The RADIUS server sends a 'Tunnel-Private-Group-ID' attribute with the correct VLAN name. The switch has the VLAN defined. What is the most likely cause?

Question 9easymultiple choice
Study the full AAA explanation →

A network engineer is configuring a Cisco router for AAA using a RADIUS server. The engineer wants to ensure that if the RADIUS server is unreachable, the router falls back to local authentication for console access. The engineer configures 'aaa authentication login default group radius local' and 'aaa authentication login CONSOLE local'. The console line is configured with 'login authentication CONSOLE'. However, when the RADIUS server is down, the engineer cannot log in via the console. What is the problem?

Question 10mediummultiple choice
Study the full AAA explanation →

A network engineer runs the following command on Router R1:

R1# show aaa sessions

Total sessions since last reload: 5 Session Id: 1 Unique Id: 1 User Name: admin

IP Address: 10.1.1.100

Idle Time: 0 Timeout: 0 Type: Login Method: RADIUS Session Id: 2 Unique Id: 2 User Name: jdoe

IP Address: 10.1.1.101

Idle Time: 120 Timeout: 0 Type: Login Method: LOCAL

Based on this output, what can be concluded?

Question 11mediummultiple choice
Study the full AAA explanation →

A network administrator issues the following command on a Cisco switch:

Switch# show aaa servers

RADIUS: id 1, priority 1, host 192.168.1.10, auth-port 1812, acct-port 1813 State: current UP, duration 3600s, previous duration 0s Dead: total 0, retransmit 0 RADIUS: id 2, priority 2, host 192.168.1.20, auth-port 1812, acct-port 1813 State: current UP, duration 100s, previous duration 300s Dead: total 3, retransmit 2

Based on this output, what can be concluded?

Question 12hardmultiple choice
Study the full AAA explanation →

A network engineer runs the following debug on a router:

R1# debug aaa authentication

*Mar  1 00:01:23.456: AAA/BIND(00000001): Bind iplist
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Pick method list 'default'
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Method=RADIUS
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): RADIUS server 10.1.1.10:1812, timeout 5, retransmit 2
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Sent username 'admin', password ****
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Received PASS response
*Mar  1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Pass

Based on this output, what can be concluded?

Question 13mediummultiple choice
Study the full AAA explanation →

A network administrator checks the AAA configuration on a router:

R1# show running-config | include aaa

aaa new-model
aaa authentication login default group radius local
aaa authentication login console local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group radius

Based on this output, what can be concluded?

Question 14hardmultiple choice
Study the full AAA explanation →

A network engineer issues the following command on a router:

R1# show tacacs

TACACS+ Server: 10.1.1.10/49 Socket opens: 5 Socket closes: 3 Socket aborts: 0 Total packets sent: 10 Total packets received: 9 Retransmissions: 1 Timeouts: 1 Current idle time: 30 seconds

Based on this output, what can be concluded?

Question 15mediummultiple choice
Study the full AAA explanation →

A network administrator runs the following command on a switch:

Switch# show aaa method-list

Method List Name: default Type: authentication Group: radius Group: local Method List Name: console Type: authentication Group: local Method List Name: default Type: authorization Group: tacacs+ Group: local

Based on this output, what can be concluded?

Question 16hardmultiple choice
Study the full AAA explanation →

A network engineer checks the AAA server status:

R1# show aaa servers

RADIUS: id 1, priority 1, host 10.1.1.10, auth-port 1812, acct-port 1813 State: current DEAD, duration 0s, previous duration 500s Dead: total 1, retransmit 3 RADIUS: id 2, priority 2, host 10.1.1.20, auth-port 1812, acct-port 1813 State: current UP, duration 200s, previous duration 0s Dead: total 0, retransmit 0

Based on this output, what can be concluded?

Question 17hardmultiple choice
Study the full AAA explanation →

A network administrator runs the following debug on a router:

R1# debug aaa authorization

*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Processing author request for user 'jdoe'
*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Method=TACACS+
*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): TACACS+ server 10.1.1.10:49, timeout 5
*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Sent author request
*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Received PASS response
*Mar  1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Pass

Based on this output, what can be concluded?

Question 18mediummultiple choice
Study the full AAA explanation →

A network engineer checks AAA accounting on a router:

R1# show aaa accounting

Accounting method list 'default': Type: exec Start-stop: group radius Accounting records: Total started: 10 Total stopped: 8 Total failed: 2 Last record: user 'admin', start time 00:01:00 UTC Mar 1 2023

Based on this output, what can be concluded?

Question 19mediummultiple choice
Study the full AAA explanation →

Examine the following AAA configuration snippet:

aaa new-model
aaa authentication login default local
aaa authentication login CONSOLE local
aaa authorization exec default local
aaa accounting exec default start-stop group tacacs+
line con 0

login authentication CONSOLE

line vty 0 4

login authentication default

What is the effect of this configuration?

Question 20mediummultiple choice
Study the full AAA explanation →

Given the following configuration:

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius

radius-server host 192.168.1.100 key Cisco123 radius-server host 192.168.1.101 key Cisco123

Which statement is true about this configuration?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused AAA, RADIUS, and TACACS+ sessions

Start a AAA, RADIUS, and TACACS+ only practice session

Every question in these sessions is drawn from the AAA, RADIUS, and TACACS+ domain — nothing else.

Related practice questions

Related 350-401 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 350-401 exam test about AAA, RADIUS, and TACACS+?
AAA, RADIUS, and TACACS+ questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just AAA, RADIUS, and TACACS+ questions in a focused session?
Yes — the session launcher on this page draws every question from the AAA, RADIUS, and TACACS+ domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 350-401 topics?
Use the topic links above to move to related areas, or go back to the 350-401 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 350-401 exam covers. They are not copied from any real exam or dump site.