Networks Training

Configuring Local Username and Password on a Cisco IOS Router

There are mainly two ways to authenticate to a Cisco router device (and also to other networking devices in general). Using an external authentication service (such as AAA server, Radius, TACACS etc) or by having local usernames and passwords on the device itself.

how to configure credentials on cisco router

In this article we will discuss how to configure a local username and password on a Cisco router in order to authenticate when connecting to the device for management purposes. The same principles apply also to other Cisco devices such as switches, firewalls etc.

By default, when you access a Cisco router for management purposes (using Console, Telnet or SSH) there is no username/password authentication required. You only need to supply the “privileged EXEC” password (i.e the “enable” password) in order to gain access to the full configuration mode of the router.

Employing an additional level of authentication (i.e requiring the user to supply an additional username/password credential in addition to the “enable” password) will make the router device more resistant to unauthorized access.

MORE READING:  Configuring NAT on Cisco Routers

Moreover, configuring local usernames on the device gives you the flexibility to add granularity regarding the levels of management privileges for different users (although using an external AAA server for authentication and authorization purposes is better compared to local accounts).

For example, you can configure a username on the router with full privileges (privilege level 15) who can configure anything on the router, or you can configure a username with unprivileged access (privilege level 1) who can only see a few things on the router and nothing else.

There are two steps involved to configure local usernames. The first one is to create the username/password and assign it a privilege level (from 1 to 15, with 15 being the most privileged level).

If you don’t specify a privilege level number, it gets the full privilege 15 by default. The second step is to configure your VTY lines (0 to 4) to require a local login access (i.e only a configured user with a valid password can access the router).

MORE READING:  Cisco new Router Series ASR 1000

Configuration

Router# config t
Router(config)# username Mynetworkadmin privilege 15 secret $Str0ngP@ss$
Router(config)# username Onlymonitoring privilege 1 secret An0ther!Pass34

Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# exit
Router(config)# wr

Just a security tip here, for username select something difficult to guess or something that will not be found in dictionary attacks. For example, words like “admin”, “administrator”, “cisco” etc are not good usernames. A simple dictionary attack from a hacker will find those easily.

Moreover, if you have more than one administrator user connecting to your routers, its better to configure a different personalized username for each administrator. This will help to ensure tracking and auditing in order to know what each user did on the device and when each user connected to the device.

Filed Under: Cisco Routers

Download Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls


By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.












Comments

  1. hi, I create a username and pwd with privilege 5 and I also activated the AAA authentication.when I connect with the username (nedge) and CDM (cisco) I refer to privililège 15. Is it possible to connect directly to the five privilege when I connect with the username (nedge) and pwd (cisco)?

  2. I didn’t fully understand your question. If the username is local (i.e configured locally on the device), then you must assign a privilege level of 5 to it:

    e.g username nedge privilege 5

    If this username exists on the AAA server, then you must enable also “authorization” on the router and assign a privilege 5 to the username which exists on the AAA

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to amazon.com, amazon.co.uk , amazon.de, amazon.it, amazon.es and affiliated sites.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING