There are mainly two ways to authenticate to a Cisco router device (and also to other networking devices in general). Using an external authentication service (such as AAA server, Radius, TACACS etc) or by having local usernames and passwords on the device itself.
In this article we will discuss how to configure a local username and password on a Cisco router in order to authenticate when connecting to the device for management purposes. The same principles apply also to other Cisco devices such as switches, firewalls etc.
By default, when you access a Cisco router for management purposes (using Console, Telnet or SSH) there is no username/password authentication required. You only need to supply the “privileged EXEC” password (i.e the “enable” password) in order to gain access to the full configuration mode of the router.
Employing an additional level of authentication (i.e requiring the user to supply an additional username/password credential in addition to the “enable” password) will make the router device more resistant to unauthorized access.
Moreover, configuring local usernames on the device gives you the flexibility to add granularity regarding the levels of management privileges for different users (although using an external AAA server for authentication and authorization purposes is better compared to local accounts).
For example, you can configure a username on the router with full privileges (privilege level 15) who can configure anything on the router, or you can configure a username with unprivileged access (privilege level 1) who can only see a few things on the router and nothing else.
There are two steps involved to configure local usernames. The first one is to create the username/password and assign it a privilege level (from 1 to 15, with 15 being the most privileged level).
If you don’t specify a privilege level number, it gets the full privilege 15 by default. The second step is to configure your VTY lines (0 to 4) to require a local login access (i.e only a configured user with a valid password can access the router).
Router# config t
Router(config)# username Mynetworkadmin privilege 15 secret $Str0ngP@ss$
Router(config)# username Onlymonitoring privilege 1 secret An0ther!Pass34
Router(config)# line vty 0 4
Router(config-line)# login local
Just a security tip here, for username select something difficult to guess or something that will not be found in dictionary attacks. For example, words like “admin”, “administrator”, “cisco” etc are not good usernames. A simple dictionary attack from a hacker will find those easily.
Moreover, if you have more than one administrator user connecting to your routers, its better to configure a different personalized username for each administrator. This will help to ensure tracking and auditing in order to know what each user did on the device and when each user connected to the device.