nerdexam
Cisco

350-401 · Question #495

Refer to the exhibit. A network engineer must configure a password expiry mechanism on the gateway router for all local passwords to expire after 60 days. What is required to complete this task?

The correct answer is C. Add the username admin privilege 15 common-criteria-policy Administrators password 0. Explanation Option C is correct because the aaa common criteria policy (named "Administrators" in the exhibit) defines the password expiry rules, but it only takes effect when it is explicitly linked to a username using the username ... common-criteria-policy syntax - without thi

Submitted by hans_de· Mar 6, 2026Security

Question

Refer to the exhibit. A network engineer must configure a password expiry mechanism on the gateway router for all local passwords to expire after 60 days. What is required to complete this task?

Exhibits

350-401 question #495 exhibit 1
350-401 question #495 exhibit 2

Options

  • AThe password expiry mechanism is on the AAA server and must be configured there.
  • BAdd the aaa authentication enable default Administrators command.
  • CAdd the username admin privilege 15 common-criteria-policy Administrators password 0
  • DNo further action Is required. The configuration is complete.

How the community answered

(39 responses)
  • A
    3% (1)
  • B
    10% (4)
  • C
    82% (32)
  • D
    5% (2)

Explanation

Explanation

Option C is correct because the aaa common criteria policy (named "Administrators" in the exhibit) defines the password expiry rules, but it only takes effect when it is explicitly linked to a username using the username ... common-criteria-policy syntax - without this command, the policy exists but is never applied to any local account.

Why the distractors are wrong:

  • Option A is incorrect because local password expiry on a Cisco router is handled locally via aaa common criteria policy, not on an external AAA server.
  • Option B is incorrect because aaa authentication enable default controls authentication for privileged EXEC access, not password expiry for local user accounts.
  • Option D is incorrect because simply defining the common criteria policy is insufficient - it must be associated with a specific username to enforce the expiry rules.

Memory Tip: Think of the common criteria policy as a rulebook and the username command as assigning that rulebook to a person - writing the rulebook does nothing until you hand it to someone. Remember: Define → Assign → Enforce.

Topics

#Password Security#Local User Management#Security Policy#Authentication

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice