Networks Training

You are here: Home / Cisco Routers / Configuring Local Username and Password on a Cisco IOS Router

Configuring Local Username and Password on a Cisco IOS Router

There are mainly two ways to authenticate to a Cisco router device (and also to other networking devices in general). Using an external authentication service (such as AAA server, Radius, TACACS etc) or by having local usernames and passwords on the device itself.

how to configure credentials on cisco router

In this article we will discuss how to setup a local username and password on a Cisco router in order to authenticate when connecting to the device for management purposes. The same principles apply also to other Cisco devices such as switches, firewalls etc.

By default, when you access a Cisco router for management purposes (using Console, Telnet or SSH) there is no username/password authentication required.

You only need to supply the “privileged EXEC” password (i.e the “enable” password) in order to gain access to the full configuration mode of the router (read below about the different password levels and types).

Employing an additional level of authentication (i.e requiring the user to supply an additional username/password credential in addition to the “enable” password) will make the router device more resistant to unauthorized access.

Moreover, configuring local usernames on the device gives you the flexibility to add granularity regarding the levels of management privileges for different users (although using an external AAA server for authentication and authorization purposes is better compared to local accounts).

For example, you can configure a username on the router with full privileges (privilege level 15) who can configure anything on the router, or you can configure a username with unprivileged access (privilege level 1) who can only see a few things on the router and nothing else.

There are two steps involved to configure local usernames. The first one is to create the username/password and assign it a privilege level (from 1 to 15, with 15 being the most privileged level).

If you don’t specify a privilege level number, it gets the full privilege 15 by default. The second step is to configure your VTY lines (0 to 4) to require a local login access (i.e only a configured user with a valid password can access the router).

MORE READING:  IOS Packet Capture and Auto Upgrade

Configuration of Local Account

Router# config t
Router(config)# username Mynetworkadmin privilege 15 secret [email protected]$
Router(config)# username Onlymonitoring privilege 1 secret An0ther!Pass34

! After creating the above local accounts, you then apply the “local” authentication type to the lines 

Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# exit

Router(config)# line console 0
Router(config-line)# login local
Router(config-line)# exit

Router(config)# line aux 0
Router(config-line)# login local
Router(config-line)# exit

Router(config)# wr

Just a security tip here, for username select something difficult to guess or something that will not be found in dictionary attacks. For example, words like “admin”, “administrator”, “cisco” etc are not good usernames. A simple dictionary attack from a hacker will find those easily.

Moreover, if you have more than one administrator user connecting to your routers, its better to configure a different personalized username for each administrator. This will help to ensure tracking and auditing in order to know what each user did on the device and when each user connected to the device.

Router Password Types:

Passwords are the first line of defense for securing Cisco Routers. 

There are five password types that can be configured on a Cisco Router:

  • Privileged Level Passwords (Privilege EXEC)
    • Enable Password (not encrypted)
    • Enable Secret Password (encrypted password)
  • Console Line Password
  • VTY Lines Password
  • Auxiliary (AUX) Line Password

Configuring Privileged Level Passwords:

Above we have configured local accounts and also applied the “local” authentication type to all router lines (VTY, console, aux). Now, we will configure the “privileged EXEC” password which is used to enter into “full configuration mode” on the router.

! Configure non-encrypted password (avoid this type)
Router(config)# enable password somepassword

! Configure encrypted password (recommended)
Router(config)# enable secret strongpassword

NOTES:

To specify an additional layer of security it’s important to use the enable secret command in global configuration mode as shown above.

MORE READING:  Configuring Static NAT on Cisco Routers

The enable secret command provides better security by storing the configured enable secret password using a nonreversible cryptographic hash function, compared to the enable password command, which stores the configured password in clear text or in an easily reversible encrypted format.

Storing the password as a cryptographic hash helps to minimize the risk of password sniffing if the router configuration file is transferred across the network, such as to and from a TFTP server.

It is also useful if an unauthorized user obtains a copy of your configuration file. Note, if neither the enable password command nor the enable secret command is configured, and if there is a line password configured for the console port, the console line password will serve as the enable password for all VTY lines, which includes Telnet, rlogin, and SSH connections.

The enable secret command is widely available within IOS. 

Encrypting Passwords:

By default, only the enable secret password is encrypted. In order to encrypt the other password types, you need to enable the “password encryption” service globally on the router as following:

Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# service password-encryption

NOTES:

To encrypt local router passwords, use the service password-encryption command in global configuration mode as shown above.

This command applies to line passwords, username passwords, enable passwords, and authentication key passwords, including routing authentication passwords and key strings.

By default, IOS does not encrypt passwords. Encrypting passwords in this way helps to minimize the risk of password sniffing if the router configuration file is transferred across the network such as to and/or from a TFTP server.

It is also useful if an unauthorized user obtains a copy of your configuration file. This command is widely available within IOS.

Related Posts

Filed Under: Cisco Routers

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available on Amazon and on this website as well.

Comments

  1. dioum samba says

    hi, I create a username and pwd with privilege 5 and I also activated the AAA authentication.when I connect with the username (nedge) and CDM (cisco) I refer to privililège 15. Is it possible to connect directly to the five privilege when I connect with the username (nedge) and pwd (cisco)?

  2. Blog Admin says

    I didn’t fully understand your question. If the username is local (i.e configured locally on the device), then you must assign a privilege level of 5 to it:

    e.g username nedge privilege 5

    If this username exists on the AAA server, then you must enable also “authorization” on the router and assign a privilege 5 to the username which exists on the AAA

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING

BLOGROLL

Tech21Century
Firewall.cx
shares