350-401 · topic practice

802.1X and TrustSec practice questions

Practise ENCOR 350-401 802.1X and TrustSec practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: 802.1X and TrustSec

What the exam tests

What to know about 802.1X and TrustSec

802.1X and TrustSec questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common 802.1X and TrustSec exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

802.1X and TrustSec questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Study the full AAA explanation →

A network engineer is deploying 802.1X on a Cisco switch for a mixed environment of Windows laptops and IP phones. The engineer configures the switchport with 'authentication port-control auto' and 'dot1x pae authenticator'. After connecting a Windows laptop, the switch logs show 'Authentication failed' for the laptop. The engineer verifies that the RADIUS server is reachable and the laptop's supplicant is configured correctly. What is the most likely cause of the authentication failure?

Question 2hardmultiple choice
Study the full AAA explanation →

An enterprise is implementing Cisco TrustSec (CTS) to enforce role-based access control. The network engineer configures the switch with 'cts role-based enforcement' and 'cts manual' on an interface connecting to a trusted Cisco switch. The engineer also configures Security Group Tags (SGTs) on the RADIUS server. However, traffic between two hosts in different SGTs is not being filtered as expected. The engineer checks 'show cts role-based counters' and sees no drops. What is the most likely reason for the lack of enforcement?

Question 3mediummultiple choice
Study the full AAA explanation →

A network engineer is configuring 802.1X on a Cisco Catalyst 9300 switch for a wired network. The engineer wants to allow devices that do not support 802.1X (e.g., printers) to still access the network using MAB (MAC Authentication Bypass). The engineer configures the interface with 'authentication port-control auto', 'dot1x pae authenticator', and 'mab'. However, after connecting a printer, the switch logs show 'MAB failed' repeatedly. The printer's MAC address is in the RADIUS server database. What is the most likely cause?

Question 4hardmultiple choice
Study the full ACL explanation →

A network engineer is deploying Cisco TrustSec (CTS) with Security Group Access Control Lists (SGACLs) on a campus network. The engineer configures the switch with 'cts role-based enforcement' and assigns SGTs to users via 802.1X. The engineer tests connectivity between a user in SGT 10 and a server in SGT 20. The SGACL permits traffic from SGT 10 to SGT 20, but the user cannot reach the server. The engineer checks 'show cts role-based sgt map' and sees that the user's SGT is 0. What is the most likely cause?

Question 5mediummultiple choice
Open the full VLAN trunking answer →

An organization is implementing 802.1X for wireless users using Cisco ISE as the RADIUS server. The network engineer configures the wireless LAN controller (WLC) with 802.1X authentication. Users report that they can connect to the SSID but cannot access any network resources. The engineer checks the WLC and sees that users are authenticated and assigned to VLAN 100. The engineer also checks the switchport connecting the WLC and sees it is a trunk. What is the most likely issue?

Question 6mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is configuring 802.1X on a Cisco switch for a voice VLAN deployment. The switchport is connected to an IP phone, which then connects to a PC. The engineer configures the interface with 'authentication port-control auto', 'dot1x pae authenticator', and 'switchport voice vlan 10'. The PC authenticates successfully, but the IP phone does not get an IP address from the voice VLAN. The engineer verifies that the phone is configured for 802.1X and the RADIUS server is correct. What is the most likely cause?

A network engineer is implementing Cisco TrustSec (CTS) with Security Group Tags (SGTs) using SXP (SGT Exchange Protocol). The engineer configures the switch as an SXP speaker and the Cisco ISE as an SXP listener. The engineer verifies that SXP peers are established. However, when the engineer checks 'show cts role-based sgt map', the SGT mappings for users are not present. What is the most likely cause?

Question 8mediummultiple choice
Study the full ACL explanation →

A network engineer is configuring 802.1X on a Cisco switch for a guest network. The engineer wants to allow guests to access the internet after authentication but restrict access to internal resources. The engineer configures the switch with 'authentication port-control auto' and a downloadable ACL (dACL) from the RADIUS server. After a guest authenticates, the engineer tests connectivity and finds that the guest can access internal servers. What is the most likely cause?

Question 9hardmultiple choice
Open the full VLAN trunking answer →

A network engineer is deploying 802.1X with Cisco ISE for a wired network. The engineer wants to use CoA (Change of Authorization) to dynamically change the VLAN of a user after authentication. The engineer configures the switch with 'aaa server radius dynamic-author' and the ISE with CoA settings. When the engineer tests CoA from ISE, the switch logs show 'CoA request received' but the VLAN does not change. What is the most likely cause?

A network engineer runs the following command on switch SW1:

SW1# show authentication sessions interface GigabitEthernet1/0/1

Interface: GigabitEthernet1/0/1

MAC Address: 0011.2233.4455

IP Address: 192.168.1.100

Status: Authz Success Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Common Session ID: 0A1B2C3D4E5F6G7H8I9J Acct Session ID: 0x0000000A Handle: 0x00000001

Current Method List: mab Method: MAB State: Authz Success

Based on this output, what can be concluded?

A network engineer runs the following command on switch SW2:

SW2# show cts role-based sgt-map

Active IPv4-SGT Mapping Table:

IP Address       SGT
192.168.1.10     10
192.168.1.20     20
192.168.1.30     30

Total number of entries: 3

Based on this output, what can be concluded?

A network engineer runs the following command on switch SW3:

SW3# show cts role-based permissions

IPv4 Role-based permissions:

Source Group Dest Group Action 10 20 PERMIT 10 30 DENY 20 30 PERMIT

Based on this output, what can be concluded?

A network engineer runs the following command on switch SW4:

SW4# show cts environment-data

CTS Environment Data:

Device ID: SW4.cisco.com Device Name: SW4 CTS Capabilities: SGT, SXP, CTSD, CTSA SGT: 100 SXP Node: Enabled SXP Connection: 10.1.1.1:64999

Based on this output, what can be concluded?

A network engineer runs the following command on switch SW5:

SW5# show cts sxp connections

SXP Connections:

Peer IP Source IP Conn Status Duration

10.1.1.1        10.1.1.2        Up              2d3h
10.1.1.3        10.1.1.2        Down            0d0h

Based on this output, what can be concluded?

A network engineer runs the following command on switch SW6:

SW6# show cts role-based counters

Role-based counters:

Source Group Dest Group Packets Sent Bytes Sent Packets Denied Bytes Denied 10 20 1500 120000 0 0 10 30 0 0 500 40000

Based on this output, what can be concluded?

A network engineer runs the following command on switch SW7:

SW7# show authentication registrations

Authentication Method Registrations:

Method Priority Type dot1x 10 Interface mab 20 Interface webauth 30 Interface

Based on this output, what can be concluded?

A network engineer runs the following command on switch SW8:

SW8# show cts role-based sgt-map 192.168.1.10

IP Address: 192.168.1.10

SGT: 10 Source: SXP

Based on this output, what can be concluded?

A network engineer runs the following command on switch SW9:

SW9# show cts role-based policy

Role-based policy:

Source Group Dest Group Action 10 20 PERMIT 10 30 DENY 20 30 PERMIT

Based on this output, what can be concluded?

Consider the following configuration on a Cisco IOS-XE switch:

interface GigabitEthernet1/0/1
 switchport mode access

authentication port-control auto dot1x pae authenticator dot1x timeout tx-period 5

spanning-tree portfast

What is the effect of this configuration?

Examine the following configuration snippet:

interface GigabitEthernet1/0/2
 switchport mode access

authentication port-control auto mab dot1x pae authenticator dot1x timeout tx-period 10

Which statement about this configuration is true?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused 802.1X and TrustSec sessions

Start a 802.1X and TrustSec only practice session

Every question in these sessions is drawn from the 802.1X and TrustSec domain — nothing else.

Related practice questions

Related 350-401 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 350-401 exam test about 802.1X and TrustSec?
802.1X and TrustSec questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just 802.1X and TrustSec questions in a focused session?
Yes — the session launcher on this page draws every question from the 802.1X and TrustSec domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 350-401 topics?
Use the topic links above to move to related areas, or go back to the 350-401 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 350-401 exam covers. They are not copied from any real exam or dump site.