In most smaller networks, or networks that have a few network administrators, when you log into a Cisco device you are only prompted for a password. This will take you to the Router> prompt where more than likely you will immediately type ‘enable’ to enter into privileged exec mode, and you will be prompted with a password again to access privileged exec mode or ‘enable mode’. This generally works fine for smaller companies and companies without too many administrators and the enable password would be shared among them.
In larger organisations a more granular approach is often needed and more control is required to identify different levels of permissions for each of the users that may connect to a Cisco device. This requirement needs each user to login to a Cisco device with their own username and password, and each account created will be assigned a different level of permission on the device.
In this tutorial I’m only going to focus on 2 of the 16 privilege levels – 1 and 15. Level 1 will direct the user to user exec mode when they log in and without the user knowing what the enable password or secret is, they will not be able to enter enable mode. Level 15 on the other hand will send the user directly to enable mode when they log in, as their account’s password will be a level 15 (privileged exec) password.
In order to configure this on a Cisco device, usernames and passwords need to be created on the device and each user account must be associated a privilege level. Furthermore, each of the lines that may be used to access the router (Console, VTY, AUX) needs to be configured to use the local user account database on the router for authentication.
Below is the configuration to configure two user accounts (jay and bob) one with level 15 access and the other with level 1. The configuration also show the commands needed under each of the lines to use the local database for authentication.
AOIP.ORG# conf t
Enter global configuration mode
AOIP.ORG(config)# username jay privilege 15 password aoip
Create a user account with username “jay” with a privilege level 15 and password of “aoip”
AOIP.ORG(config)# username bob privilege 1 password aoip
Create a user account with username “bob” with a privilege level 1 and password of “aoip”
AOIP.ORG(config)# line console 0
Enter into the console configuration
AOIP.ORG(config-line)# login local
This sets the configuration to test authentication using the local database of username and passwords.
AOIP.ORG(config-line)# exit
Exit out of console configuration.
AOIP.ORG(config)# line vty 0 4
Enter into the first 5 virtual lines
AOIP.ORG(config-line)# login local
Set the authentication method to the local database
AOIP.ORG(config-line)# exit
Exit out of the virtual terminal lines
AOIP.ORG(config)# line aux 0
Enter into the auxiliary line
AOIP.ORG(config-line)# login local
Set the authentication method to the local database
AOIP.ORG#
Below is a live demo of the above configuration. Notice the difference between the two accounts when they log in.
NOTE: If bob did not know the enable password, he would not be able to move out of user exec mode which would be the case in a live environment.
One thought on “‘Login local’ on a Cisco Router”
guess you learn something new every day! thanks bud