All Practice Exams
100+ Free ExtremeControl Certified Professional Practice Questions
Extreme Certified Professional - ExtremeControl (Network Access Control) practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
Which notification action would best alert a security team in real time when an end-system enters the Quarantine state?
A
B
C
D
to track
Same family resources
Explore More Extreme Networks Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: ExtremeControl Certified Professional Exam
75%
Passing Score
Extreme Networks (Extreme Academy)
4 areas
Knowledge Credential Domains
Extreme Academy course structure
~1 hour
Per Knowledge Exam
Extreme Academy
3 years
Certification Validity
Extreme Networks (re-take to recertify)
~$395
Retake Fee (USD)
Extreme Networks
ProctorU
Exam Proctoring
Extreme Academy
The Extreme Certified Professional - ExtremeControl credential, from Extreme Networks (Extreme Academy) and proctored by ProctorU, requires roughly 75% to pass and combines multiple-choice knowledge exams (about one hour each) with a one-day practical lab. The four credential areas are Installation and Configuration, Advanced Configuration, Management, and Troubleshooting of ExtremeControl NAC within ExtremeCloud IQ Site Engine. The fee is set by the Authorized Training Partner (retake about $395 USD), and the certification is valid for 3 years; you re-take the exam to recertify.
Sample ExtremeControl Certified Professional Practice Questions
Try these sample questions to test your ExtremeControl Certified Professional exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1Within which Extreme Networks management platform does the ExtremeControl application run as a tab for configuring network access control?
A.ExtremeCloud SD-WAN
B.Extreme Fabric Manager
C.ExtremeAnalytics standalone server
D.ExtremeCloud IQ Site Engine
Explanation: ExtremeControl is delivered as the Access Control (formerly NAC Manager) application inside ExtremeCloud IQ Site Engine. Administrators configure engines, AAA, profiles, rules, and portals from the Control tab of Site Engine.
2What is the primary function of an ExtremeControl engine in a NAC deployment?
A.To act as the syslog collector for all managed switches
B.To replace the core routing fabric with policy-based forwarding
C.To generate SSL certificates for every managed access point
D.To detect, authenticate, assess, and effect authorization of end-systems connecting to the network
Explanation: The ExtremeControl engine is required for every deployment. It detects connecting end-systems, authenticates them (often as a RADIUS server), assesses their posture, and then authorizes them by assigning a policy role or VLAN based on the results.
3An ExtremeControl engine acting as a RADIUS server listens for RADIUS authentication requests on which UDP port by default?
A.UDP 1813
B.UDP 1700
C.UDP 1812
D.UDP 3799
Explanation: RADIUS authentication uses UDP 1812 by default, which is the port the ExtremeControl engine uses to receive Access-Request packets from switches and APs acting as RADIUS clients. UDP 1813 is reserved for RADIUS accounting.
4Before a switch's RADIUS requests will be answered by an ExtremeControl engine, what must be true about that switch?
A.The switch must run the same firmware version as the engine
B.The switch must be assigned a static IP in the 169.254.0.0/16 range
C.The switch must be added to the engine so it is included in the RADIUS clients.conf authorized clients list
D.The switch must have an ExtremeControl agent installed on it
Explanation: ExtremeControl only responds to RADIUS requests from authorized clients. Adding a switch or AP under Control adds it to the engine's clients.conf with the shared secret; without that entry the engine silently ignores RADIUS packets from that source IP.
5In an ExtremeControl Gateway deployment with policy-enabled Extreme switches, how is the access policy named in an ExtremeControl profile applied to the end-system?
A.The end-system downloads the policy directly from the cloud
B.The switch is sent the matching policy role, which must be defined and enforced in the Policy tab
C.The engine pushes a full ACL file to the end-system's NIC
D.The VLAN is always assigned and policy roles are never used
Explanation: For ExtremeControl Gateway engines, access policies in the profile map to policy roles that an administrator creates in the Policy tab and enforces to the policy-capable switches. The engine returns the role (commonly via Filter-ID) and the switch applies it locally.
6For RFC 3580-enabled (non-policy) switches, how does ExtremeControl deliver authorization instead of sending a policy role?
A.By sending a VLAN attribute mapped from the policy role using Policy Mappings
B.By disabling the switch port permanently
C.By installing a local supplicant on the switch
D.By sending an SNMP trap that the switch interprets as a role
Explanation: RFC 3580 defines RADIUS tunnel attributes for dynamic VLAN assignment. ExtremeControl uses the Policy Mappings panel to associate each policy role with a VLAN ID or name, so RFC 3580 switches receive the VLAN attribute rather than a proprietary role.
7Which ExtremeControl deployment mode passively monitors authentication without the engine acting as the inline RADIUS server, primarily to provide end-system visibility?
A.Inline enforcement mode
B.Quarantine-only mode
C.Passive mode
D.Captive portal mode
Explanation: Passive Mode (and Pass-Through Mode) are the foundational visibility use cases taught in ExtremeControl Installation and Configuration. Passive mode observes end-system activity to populate the End-Systems table without taking over enforcement, which is useful for discovery before full NAC rollout.
8Which protocol allows an ExtremeControl engine to force reauthentication of an already-authenticated end-system by sending a Change of Authorization or Disconnect message?
A.RFC 3580 dynamic VLAN
B.SNMPv3 inform
C.RFC 3576 RADIUS Dynamic Authorization (CoA)
D.TACACS+ command authorization
Explanation: RFC 3576 (later RFC 5176) defines RADIUS Change of Authorization (CoA) and Disconnect messages. ExtremeControl uses these to force a reauth on a connected end-system so a new profile or role is applied without waiting for the next natural authentication.
9On which UDP port does ExtremeControl send RADIUS Change of Authorization (CoA) messages per the standardized Dynamic Authorization assignment?
A.UDP 1812
B.UDP 3799
C.UDP 8443
D.UDP 514
Explanation: UDP 3799 is the IANA-assigned RADIUS Dynamic Authorization (CoA/Disconnect) port. ExtremeControl uses 3799 (and the legacy 1700) to send CoA messages from the engine to the authenticating switch or AP.
10When configuring an ExtremeControl engine to authenticate users against Microsoft Active Directory, which configuration object holds the directory connection details used for authentication and authorization?
A.The Portal Configuration
B.The Notification Engine
C.The End-System Zone
D.The AAA Configuration referencing an LDAP configuration
Explanation: The AAA Configuration defines the RADIUS and LDAP settings that provide authentication and authorization services. Connecting to Active Directory is done by adding an LDAP configuration referenced by the AAA Configuration, enabling user and host lookups against AD.
About the ExtremeControl Certified Professional Practice Questions
Verified exam format metadata for Extreme Certified Professional - ExtremeControl (Network Access Control) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.