‘Login local’ on a Cisco Router

In most smaller networks, or networks that have a few network administrators, when you log into a Cisco device you are only prompted for a password. This will take you to the Router> prompt where more than likely you will immediately type ‘enable’ to enter into privileged exec mode, and you will be prompted with a password again to access privileged exec mode or ‘enable mode’. This generally works fine for smaller companies and companies without too many administrators and the enable password would be shared amongst them.

In larger organisations a more granular approach is often needed and more control is required to identify different levels of permissions for each of the users that may connect to a Cisco device. This requirement needs each user to login to a Cisco device with their own username and password, and each account created will be assigned a different level of permission on the device.

In this tutorial I’m only going to focus on 2 of the 16 privilege levels – 1 and 15. Level 1 will direct the user to user exec mode when they log in and without the user knowing what the enable password or secret is, they will not be able to enter enable mode. Level 15 on the other hand will send the user directly to enable mode when they log in, as their account’s password will be a level 15 (privileged exec) password.

In order to configure this on a Cisco device, usernames and passwords need to be created on the device and each user account must be associated a privilege level. Furthermore, each of the lines that may be used to access the router (Console, VTY, AUX) needs to be configured to use the local user accounts database on the router for authentication

Below is the configuration to configure two user accounts (jay and bob) one with level 15 access and the other with level 1. The configuration also show the commands needed under each of the lines to use the local database for authentication.

AOIP.ORG# conf t
AOIP.ORG(config)# username jay privilege 15 password aoip
AOIP.ORG(config)# username bob privilege 1 password aoip
AOIP.ORG(config)# line console 0
AOIP.ORG(config-line)# login local
AOIP.ORG(config-line)# exit
AOIP.ORG(config)# line vty 0 4
AOIP.ORG(config-line)# login local
AOIP.ORG(config-line)# exit
AOIP.ORG(config)# line aux 0
AOIP.ORG(config-line)# login local

Below is a live demo of the above configuration. Notice the difference between the two accounts when they log in.
NOTE: If bob did not know the enable password, he would not be able to move out of user exec mode which would be the case in a live environment.

If you can see this, then you might need a Flash Player upgrade or you need to install Flash Player if it's missing. Get Flash Player from Adobe.

Related posts:

  1. Cisco Router Login Lockdown
  2. Setting the enable password and secret on a Cisco device
  3. Decrypting Type 7 Passwords (enable password)
  4. Configuring the Console port on a Cisco Device
  5. Configuring VTY Access

One Response to “‘Login local’ on a Cisco Router”

  1. Allio1535@yahoo.com Says:

    guess you learn something new every day! thanks bud

Leave a Reply