Local User Authentication in Cisco

Local user authentication is a method of authenticating users by storing their login credentials locally on the Cisco device. This is in contrast to using an external authentication server, such as a RADIUS or TACACS+ server, to authenticate users. To configure local user authentication on a Cisco device, you will need to create a local user account and specify the authentication method for the account. You can also set a privilege level for the account, which determines the level of access the user has to the device and its configuration.

Step 1: To create a local user account, you can use the username and password commands. For example, to create a user account with the username “admin” and the password “password”, you would enter the following command:

username admin password password

Step 2: To specify the authentication method for the local user account, you can use the AAA authentication login command. For example, to specify that the local user account should be used for authentication, you would enter the following command:

aaa authentication login default local

Step 3: To set a privilege level for the local user account, you can use the privilege and level commands. For example, to set the privilege level for the user account to 15, you would enter the following command:

privilege 15 level 15 admin

Step 4: To set the privilege level for the local user account, you can use the username and privilege commands. For example, to set the privilege level for the user account to 15, you would enter the following command:

username admin privilege 15

Keep in mind that these steps are just a basic example, and the specific commands and options you use may vary depending on the version of the Cisco device you are using and the specific requirements of your network.

One shared password for all authentication purposes is not the safest method. Giving each person a login and password makes tracking them easier. There are primarily two methods for logging into a Cisco router equipment (and also to other networking devices in general). 

• Using a local login and password on the device itself.
• By using an external authentication service (such as an AAA server, Radius, TACACS, etc.).

By default, no login or password is necessary to access a Cisco router for management reasons (using Console, Telnet, or SSH).

• The “privileged EXEC” password, also known as the “enable” password, is all that is required to access the router’s full configuration mode (read below about the different password levels and types).
• The router equipment will be more secure from unauthorized access if it uses the second level of authentication (requiring the user to provide extra username/password credentials in addition to the “enable” password).
• Additionally, setting up local usernames on the device allows you to add granularity to the levels of administrative privileges for various users (although using an external AAA server for authentication and authorization purposes is better compared to local accounts).
• For instance, you can set up a username with full access to the router (privilege level 15), which allows you to configure anything on the router, or you can set up a username with restricted access (privilege level 1), which only allows you to see a few things on the router and nothing else.