Configuring Local User Authentication in Cisco
One shared password for all authentication purposes is not the safest method. Giving each person a login and password makes tracking them easier. There are primarily two methods for logging into a Cisco router equipment (and also to other networking devices in general).
By default, no login or password is necessary to access a Cisco router for management reasons (using Console, Telnet, or SSH).
- The “privileged EXEC” password, also known as the “enable” password, is all that is required to access the router’s full configuration mode (read below about the different password levels and types).
- The router equipment will be more secure from unauthorized access if it uses the second level of authentication (requiring the user to provide extra username/password credentials in addition to the “enable” password).
- Additionally, setting up local usernames on the device allows you to add granularity to the levels of administrative privileges for various users (although using an external AAA server for authentication and authorization purposes is better compared to local accounts).
- For instance, you can set up a username with full access to the router (privilege level 15), which allows you to configure anything on the router, or you can set up a username with restricted access (privilege level 1), which only allows you to see a few things on the router and nothing else.
Local User Authentication in Cisco
Local user authentication is a method of authenticating users by storing their login credentials locally on the Cisco device. This is in contrast to using an external authentication server, such as a RADIUS or TACACS+ server, to authenticate users. To configure local user authentication on a Cisco device, you will need to create a local user account and specify the authentication method for the account. You can also set a privilege level for the account, which determines the level of access the user has to the device and its configuration.
Step 1: To create a local user account, you can use the username and password commands. For example, to create a user account with the username “admin” and the password “password”, you would enter the following command:
username admin password password
Step 2: To specify the authentication method for the local user account, you can use the AAA authentication login command. For example, to specify that the local user account should be used for authentication, you would enter the following command:
aaa authentication login default local
Step 3: To set a privilege level for the local user account, you can use the privilege and level commands. For example, to set the privilege level for the user account to 15, you would enter the following command:
privilege 15 level 15 admin
Step 4: To set the privilege level for the local user account, you can use the username and privilege commands. For example, to set the privilege level for the user account to 15, you would enter the following command:
username admin privilege 15
Keep in mind that these steps are just a basic example, and the specific commands and options you use may vary depending on the version of the Cisco device you are using and the specific requirements of your network.
Configuring Local User Authentication in Cisco
Step 1: Create a user account with the credentials Beginner and annie@3314 and grant this user level 15 privileges.
Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#username Beginner privilege 15 secret Beginner@357
After successfully authenticating, a user who has been granted level 15 rights will be put in privileged mode and won’t need to enter an enabled password. When granting level 15 privileges, exercise caution.
Note:
Enable Password (not encrypted) Enable Secret Password (encrypted password)
Step 2: Create a user account for w3wiki with the password Beginner@357 and allow level 1 access to this user.
Router(config)#username w3wiki privilege 1 secret Beginner@357
Step 3: Set up the VTY lines 0 through 4 so that incoming exec sessions can authenticate themselves to the local user database. Similarly, for the other lines console and aux. To accomplish this, run the login local command in line configuration mode.
Router(config)# line vty 0 4 Router(config-line)# login local Router(config-line)# exit Router(config)# line console 0 Router(config-line)# login local Router(config-line)# exit Router(config)# line aux 0 Router(config-line)# login local Router(config-line)# exit
The console line password will be used as the enable password for all VTY lines, including Telnet, login, and SSH connections, if neither the enable password nor the enable secret command is defined and if a line password is configured for the console port.
Step 4: Using reverse telnet across the Loopback0 interface, confirm your configuration. You should be prompted for a username and password, and upon successful authentication using the credentials provided, you should be given access to an exec shell session in either user mode or privileged mode, as seen below, depending on whether you used the username w3wiki or Beginner.
Routerconfig-line)#end Router#telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification Username: Beginner Password: Router#