One shared password for all authentication purposes is not the safest method. Giving each person a login and password makes tracking them easier. There are primarily two methods for logging into a Cisco router equipment (and also to other networking devices in general).
- Using a local login and password on the device itself.
- By using an external authentication service (such as an AAA server, Radius, TACACS, etc.).
By default, no login or password is necessary to access a Cisco router for management reasons (using Console, Telnet, or SSH).
- The “privileged EXEC” password, also known as the “enable” password, is all that is required to access the router’s full configuration mode (read below about the different password levels and types).
- The router equipment will be more secure from unauthorized access if it uses the second level of authentication (requiring the user to provide extra username/password credentials in addition to the “enable” password).
- Additionally, setting up local usernames on the device allows you to add granularity to the levels of administrative privileges for various users (although using an external AAA server for authentication and authorization purposes is better compared to local accounts).
- For instance, you can set up a username with full access to the router (privilege level 15), which allows you to configure anything on the router, or you can set up a username with restricted access (privilege level 1), which only allows you to see a few things on the router and nothing else.
Local User Authentication in Cisco
Local user authentication is a method of authenticating users by storing their login credentials locally on the Cisco device. This is in contrast to using an external authentication server, such as a RADIUS or TACACS+ server, to authenticate users. To configure local user authentication on a Cisco device, you will need to create a local user account and specify the authentication method for the account. You can also set a privilege level for the account, which determines the level of access the user has to the device and its configuration.
Step 1: To create a local user account, you can use the username and password commands. For example, to create a user account with the username “admin” and the password “password”, you would enter the following command:
username admin password password
Step 2: To specify the authentication method for the local user account, you can use the AAA authentication login command. For example, to specify that the local user account should be used for authentication, you would enter the following command:
aaa authentication login default local
Step 3: To set a privilege level for the local user account, you can use the privilege and level commands. For example, to set the privilege level for the user account to 15, you would enter the following command:
privilege 15 level 15 admin
Step 4: To set the privilege level for the local user account, you can use the username and privilege commands. For example, to set the privilege level for the user account to 15, you would enter the following command:
username admin privilege 15
Keep in mind that these steps are just a basic example, and the specific commands and options you use may vary depending on the version of the Cisco device you are using and the specific requirements of your network.
Configuring Local User Authentication in Cisco
Step 1: Create a user account with the credentials geeks and annie@3314 and grant this user level 15 privileges.
Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#username geeks privilege 15 secret geeks@357
After successfully authenticating, a user who has been granted level 15 rights will be put in privileged mode and won’t need to enter an enabled password. When granting level 15 privileges, exercise caution.
Note:
Enable Password (not encrypted) Enable Secret Password (encrypted password)
Step 2: Create a user account for GeeksforGeeks with the password geeks@357 and allow level 1 access to this user.
Router(config)#username GeeksforGeeks privilege 1 secret geeks@357
Step 3: Set up the VTY lines 0 through 4 so that incoming exec sessions can authenticate themselves to the local user database. Similarly, for the other lines console and aux. To accomplish this, run the login local command in line configuration mode.
Router(config)# line vty 0 4 Router(config-line)# login local Router(config-line)# exit Router(config)# line console 0 Router(config-line)# login local Router(config-line)# exit Router(config)# line aux 0 Router(config-line)# login local Router(config-line)# exit
The console line password will be used as the enable password for all VTY lines, including Telnet, login, and SSH connections, if neither the enable password nor the enable secret command is defined and if a line password is configured for the console port.
Step 4: Using reverse telnet across the Loopback0 interface, confirm your configuration. You should be prompted for a username and password, and upon successful authentication using the credentials provided, you should be given access to an exec shell session in either user mode or privileged mode, as seen below, depending on whether you used the username GeeksforGeeks or geeks.
Routerconfig-line)#end Router#telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification Username: geeks Password: Router#