Home > AAA Questions

AAA Questions

November 16th, 2018 in SWITCH 300-115 Go to comments

Question 1


AAA security provides the following services:
+ Authentication – Identifies users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol that you select, encryption.
Authentication is the process of verifying the identity of the person or device accessing the Cisco NX-OS device, which is based on the user ID and password combination provided by the entity trying to access the Cisco NX-OS device. Cisco NX-OS devices allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
+ Authorization – Provides access control.
AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.
+ Accounting – Provides the method for collecting information, logging the information locally, and sending the information to the AAA server for billing, auditing, and reporting.

In conclusion, authorization specifies which resources the users are allowed to access.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_aaa.html

Question 2


In the “aaa authentication login login radius local” command, the first “login” is a keyword which authenticates users who want exec access into the access server (tty, vty, console and aux). The second “login” is a list name. “radius local” part indicates the RADIUS authentication should be used first. If the RADIUS server does not reply then use the local database to authenticate.

Question 3

Question 4


Method lists are specific to the authorization type requested:
+ Auth-proxy – Applies specific security policies on a per-user basis. For detailed information on the authentication proxy feature, refer to the chapter “Configuring Authentication Proxy” in the “Traffic Filtering and Firewalls” part of this book.
+ Commands – Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.
+ EXEC – Applies to the attributes associated with a user EXEC terminal session.
+ Network – Applies to network connections. This can include a PPP, SLIP, or ARAP connection.
+ Reverse Access – Applies to reverse Telnet sessions.

When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named “default”). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.

Question 5


For 802.1x port-based authentication, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html)

Question 6


The console port is authenticated with NO_AUTH list. But this list does not contain any authentication method (it uses “none”) so no authentication is required when connecting to the console port.

Question 7


The VTY line can be accessed via Telnet and SSH by default. It is authenticated by “default” list which is defined with the “aaa authentication login default group radius local line” command. Therefore users who access via Telnet or SSH are authenticated via RADIUS first, then local database and finally line VTY password.

Note: The “group” keyword provides a way to group existing server hosts. The feature allows the user to select a subset of the configured server hosts and use them for a particular service. Therefore we can understand “group radius” here means “some pre-defined radius servers”.

Question 8


You can configure port security and 802.1X on the same interfaces. Port security secures the MAC addresses that 802.1X authenticates. 802.1X processes packets before port security processes them, so when you enable both on an interface, 802.1X is already preventing inbound traffic on the interface from unknown MAC addresses.

When you enable 802.1X and port security on the same interface, port security continues to learn MAC addresses by the sticky or dynamic method, as configured. Additionally, depending on whether you enable 802.1X in single-host mode or multiple-host mode, one of the following occurs:
+ Single host mode—Port security learns the MAC address of the authenticated host.
+ Multiple host mode—Port security drops any MAC addresses learned for this interface by the dynamic method and learns the MAC address of the first host authenticated by 802.1X.

If a MAC address that 802.1X passes to port security would violate the applicable maximum number of secure MAC addresses, the device sends an authentication failure message to the host.

The device treats MAC addresses authenticated by 802.1X as though they were learned by the dynamic method, even if port security previously learned the address by the sticky or static methods. If you attempt to delete a secure MAC address that has been authenticated by 802.1X, the address remains secure.

If the MAC address of an authenticated host is secured by the sticky or static method, the device treats the address as if it were learned by the dynamic method, and you cannot delete the MAC address manually.

Port security integrates with 802.1X to reauthenticate hosts when the authenticated and secure MAC address of the host reaches its port security age limit.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_portsec.html#wp1258157

Question 9

Question 10


The client/server packet exchange consists primarily of the following types of RADIUS messages:
+ Access-Request – sent by the client (NAS) requesting access
+ Access-Reject – sent by the RADIUS server rejecting access
+ Access-Accept – sent by the RADIUS server allowing access
+ Access-Challenge – sent by the RADIUS server requesting more information in order to allow access. The NAS, after communicating with the user, responds with another Access-Request.

When you use RADIUS accounting, the client and server can also exchange the following two types of messages:
+ Accounting-Request—sent by the client (NAS) requesting accounting
+ Accounting-Response—sent by the RADIUS server acknowledging accounting

Reference: http://www.cisco.com/c/en/us/td/docs/net_mgmt/access_registrar/1-7/concepts/guide/radius.html

Question 11

Question 12


“aaa authentication login” specifies that you want to use authentication. You need to give the authentication parameters a list name, either default or some other name you define:

aaa authentication login {default | list-name} group {group-name | radius | tacacs+} [method 2…3…4]

Two of the methods are:
+ “local-case” which uses case-sensitive local username authentication
+ “if-authenticated” which allows the user to access the requested function if the user is authenticated. 

Note: The purpose of “if-authenticated” method here is where the router can not communicate with the TACACS server the router will authenticate the user and then the router will say the user is authorized (because he was previously authenticated) and the user login is successful.

Let’s find out the meaning of the command “aaa authentication login default group tacacs+ local-case if-authenticated”. It means that to authenticate to this router for logins use the default group which is tacacs+. If tacacs+ fails then use the local user account configured on the router (make sure you have a local user configured on your router).

Notice the “if-authenticated” keyword at the end of this line. This is saying that if we are authenticated we will immediately be dropped into exec (enable) mode.

  1. john
    April 20th, 2015


    aaa authentication login login radius local
    should be aaa authentication login login group radius local


  2. XYZ
    April 20th, 2015

    yes coorect john..

  3. Tikitaka
    June 2nd, 2015

    thank you Jhon

  4. Saro
    June 5th, 2015


    @john and lofeezy

    I think you are right and none of the proposed answers is correct.

    One of these would be the right answer:

    aaa authentication login default group radius local
    aaa authentication login login group radius local

  5. Saro
    June 5th, 2015

    Actually only “aaa authentication login login group radius local” should be correct, because it is asking for a method named “login”, I missed that part.

  6. Rafi
    July 15th, 2015

    So why this is not changed ?

  7. McLuhan
    August 13th, 2015

    So where are the questions???

  8. Sam
    August 16th, 2015

    hey, where r the questions?? only answers r there !!

  9. certprepare
    August 29th, 2015

    Because of copyrighted issues, certprepare had to remove all questions and answers. You can download them at http://www.mediafire.com/view/9mq20kx0mgam6k7/SWITCH_July_2015.pdf

  10. CORRECT…..
    October 3rd, 2015

    Dear Admin


    there is no such command contains “login login radius “as show in your correct answer Below.

    B. (config)# aaa authentication login login radius local

    The CORRECT ANSWER is that there will be a group keyword before RADIUS as shown

    (config)# aaa authentication login login group radius local

    PLEASE CORRECT IT……………….||||||||

  11. Tom
    October 9th, 2015

    aaa authentication login login group radius local is valid
    The first “login” is an Auth List
    The second “login” just happens to be called login is the Auth list name , which could be changed if desired.

  12. alb
    October 20th, 2015

    @Tom I think the point they’re trying to raise is the omission of the keyword ‘group’ and not having a consecutive ‘login’ listed. The official cert guide is not explicitly clear on the general command syntax…

  13. poomsa
    November 2nd, 2015

    anyone has the AAA lab in packetracer ?

  14. Hennery
    November 9th, 2015

    Does anyone has time to write the questions too, there is only answers.
    who ever running the site might looking to get some money if yes please said it clear.

  15. Pekpek
    November 29th, 2015

    Hello guys!

    I took the exam yesterday and I passed with a score of 937 out of 1000.

    Layer 2 Technology : 93%
    Infrastucture Security : 100%
    Infrastructure Services : 100%

    Right before I clicked the end “exam”, I thought I got a perfect score. I don’t know how they grade the exam but I’m sure of all of my answer because I study hard for real! Anyway, the good thing is I passed.

    The dumps here are all still valid. Honestly, what you can see here are all in the exam. My labs are LACP STP, AAA, HSRP Hotspot, Vtp V3.

    Let me share what I experienced:

    1. For all the Labs, No Copy run start and write commands but the config still saves. Make sure to check your config with sh run all the time.

    2. On AAA, I put the exact commands in here but make sure check the radius server host IP and key. You can not add Vlans nor do sh vlans but its not required.

    3. On Lacp, the range command is working. Use this format: “interface range fa0/3 – 4”. Make sure to check your Vlans, trunking, etherchannel bundling, STP and Vtp mode on both switches. I did not put default gateways on both switches because they are already on the running config. To test, just ping the the default gateway which is the router with the IP Add

    Study dumps from galvin, JvD and the labs here from Cert prepare.

    However, I highly suggest to read the Cisco Press and watch CBT nuggets tutorials because you can not be called a Network Engineer if you just rely on dumps.

    Its easy to get CCNP but its hard TO BE a CCNP!

    Thanks for sharing your experienced here and thanks Certprepare.

    GOODLUCK PEOPLE!!! Spread the LOVE and PEACE on earth! :)

  16. Sailormoon
    December 1st, 2015

    @Pekpek Congrats Can you share the galvin dumps?

  17. Mitchels
    December 22nd, 2015

    now exam is changed, i did on 21 Dec and most of questions are changed.

  18. Anonymous
    January 11th, 2016

    @mitchels: What are the new questions.

  19. Paul
    January 31st, 2016

    May I ask for dumps. The reviewers i got have lots of things and couldn’t really focus on the coverage of the exam. paulreyna@hotmail.com.. thanks in advance guys

  20. wmohammad
    March 5th, 2016

    Hi guys,
    I have scheduled my exam on next Wensda, 09/03.
    I got the “SWITCH_July_2015” dumb
    is this the latest dumb ?

  21. chrisroed
    May 10th, 2016

    DLS2(config)#do sh run
    Building configuration…

    Current configuration : 5998 bytes
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname DLS2
    username chrisroed privilege 15 secret 5 $1$DNMx$rmN5mv0u9Y3xTwo29sWib0
    aaa new-model
    aaa session-id common
    system mtu routing 1500
    ip routing

    DLS2(config)#aaa authentication login login radius local
    DLS2(config)#do sh run
    Building configuration…

    Current configuration : 6048 bytes
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname DLS2
    username chrisroed privilege 15 secret 5 $1$DNMx$rmN5mv0u9Y3xTwo29sWib0
    aaa new-model
    aaa authentication login login group radius local
    aaa session-id common
    system mtu routing 1500

    This clearly shows that using the command “aaa authentication login login radius local”, does in fact work and automatically adds the keyword ‘group’. I guess it’s yet another of Ciscos ‘hidden’ commands, possibly from older versions of IOS.

  22. jani
    May 22nd, 2016

    @josh, Could you please send the pdf to me on the email: jv_jani @hotmail.com


  23. @w@klo99
    June 10th, 2016

    Hi guys. Is anyone has a ccnp switch pdf dumps coz im planning to take the exam. heres my email {email not allowed}

  24. Mohamed haleem
    June 27th, 2016

    Passed yesterday with 953 , 191q is still valid ,, labs are multiple choice> HSRP , configuration> AAA , LACP ، drag and drop LLDP/CDP ,for more infor u can contact my whatsapp +249912299136 or facebook @mohamed.haleem136 ,,glad to help and provide dumps & support ,, just dont be shy ,,

  25. gold1986
    July 15th, 2016

    hi Guys
    I have exam switch tomorrow
    and I want witch labs come in the exam please help me and god help you

  26. Anonymous
    July 25th, 2016

    Please I will appreciate if someone can email me the 191q . my email is ftheodore1 at yahoo.com

  27. CCNPSwitch
    July 29th, 2016

    Hai mohamed haleem. Please can you share the 191q ? i have ccnp switch exam on aug 6th
    it will be really very helpful if you can share the 191q … I can give my email id if you can mail me the dumps

  28. examgeek
    September 22nd, 2016

    please send latest dump to rafalebsa at yahoo dot com
    exam planned tomorrow. dump 191 QA 300-115 exam

  29. mike
    October 12th, 2016

    could anyone pls share AAA lab in packet tracer…


  30. rava
    December 3rd, 2016

    having this error while trying to config dot1x on physical port

    ASW1(config)#interface fastEthernet 0/3
    ASW1(config-if)#dot1x ?
    % Unrecognized command

    how to make it works plz, im trying to configure port-based authentication on switch 3560

  31. rava
    December 3rd, 2016


  32. jane woken
    May 15th, 2017

    hi guys,
    could someone please send me the latest dumps please, please, please . My email address is jane_woken52 @ yahoo.com . it will be big help.

  33. CCNP boy
    August 7th, 2017

    someone who had take the exam recently, can confirm if is enough to pass just study with these Qs ? ( All Qs )

  34. chinna
    September 2nd, 2017

    Hi all,

    I have my ccnp switch exam next exam. could any one please share dumps with me at chinna8351 at gmail dot com?

    Thanks a lot for your help

  35. chinna
    September 2nd, 2017

    Hi all,
    I have my ccnp switch exam next week. could any one please share dumps with me at chinna8351 at gmail dot com?
    Thanks a lot for your help

  36. rinish
    November 7th, 2017

    Hi Guys can you please share how i can practice AAAdot1x lab . Moreover where can i find the simulation

  37. YMD
    November 12th, 2017

    Q12 doesnt make sense. if-authenticated is part of aaa authorization, not aaa authentication. C is the best answer if you ignore this, but still…

  38. Anon6
    November 30th, 2017

    It’s really too bad that this site has become a begging pot for people too lazy to study and all you see are 100s of requests for the latest dumps and spam for bogus dump site.
    to Certprepare, please clean up and maintain your site!!! It is embarassing

  39. QRT
    December 4th, 2017

    YMD – Q12
    Agree with you.

  40. BreakFix
    January 5th, 2018

    @ CertPrepare Admin
    The requirements of question 12 are meet by the following command syntax:
    aaa authentication login default group tacacs+ local-case
    Please remove “if-authenticated” from question 12 answer C.
    Please update the Flash-based question as well.
    R1(config)#aaa authentication login default group tacacs+ ?

    * * * * Output omitted for brevity * * * *

    local-case Use case-sensitive local username authentication.

    * * * * Output omitted for brevity * * * *
    As mentioned by others, “if-authenticated” is a command option for aaa authorization
    not aaa authentication.
    R1(config)#aaa authentication login default group tacacs+ local-case ?
    enable Use enable password for authentication.
    group Use Server-group
    krb5 Use Kerberos 5 authentication.
    line Use line password for authentication.
    none NO authentication.

    Thank you,

  41. CCNP15
    February 20th, 2018

    Guaranteed Latest Stuff to pass exam.
    HERE Instant DOWNLOAD (NO fake GROUP)

    20 US$ only
    D&D – PortFast / BPDU Guard / BPDU Filter (Official)
    D&D – Port Cost / Switch Port Priority / Port Priority
    D&D – STP Components (Official)

    vtp simplet
    AAA Dot1x numbered ACL
    LACP-STP on physical interface



  42. TOOK TEST TODAY !!!!
    August 17th, 2018

    ALL NEW QUESTIONS !!!!!!!!!!!!

    just passed –got lucky guessing on new questions

    LACP with STP was on the exam. This lab is valid
    AAA dot1x was on the exam. This lab is valid

  43. nahas
    May 19th, 2019

    I agree with BreakFix.
    authentication dosen’t support the option “if-authenticated”, authorization does!
    correct answers should be:

    1)aaa authentication login default group tacacs+ local-case
    2)aaa authorization login default group tacacs+ local-case if-authenticated

  44. CCNP SW
    August 18th, 2019

    passed before two days , there was a question about accounting types

  1. No trackbacks yet.