How to Configure Local Username Database in Cisco IOS
Local AuthenticationThe most basic level of security you can configure on a Cisco IOS device is a password. When this is done, a password is assigned to allow access to the privileged/global configuration mode, and to protect initial entry to the user mode of the IOS. However, the Cisco IOS can take this a step further, and have actual usernames and passwords assigned for access. By doing this, you have the real name of the person who is accessing the device. If you chose to do so, this username could be logged so that you know when that user logged into the router, and when they logged off. The Cisco IOS can, of course, also support external authentication through services like Cisco ACS and RADIUS. In this example, we will create a basic local authentication database containing usernames and passwords, and then use that to login to the Cisco IOS device.
Creating the DatabaseTo create the user database, you use the username command. Let’s create 2 users with different privileges. The Admin user will have level 15 (Cisco administrator / super-user access). The user Bob will have level 7 access (moderate user access). Here is how it is done: username admin priv 15 password cisco username bob priv 7 password cisco Once these users are created, you need to enable the login on the lines to use the local database instead of just the line password, or no password at all. Enabling Lines to use the Local Authentication DatabaseTo tell each line to use these new user logins, you must go to each line and perform the login local command. This is different than just the login command, by itself. The login command enables password checking. By using only the login command, you are only enabling password checking for the line password, configured on that line. By using login local, you are telling the device to use the locally configured accounts in the username database. Here is how you configure it: Let’s test it out! |
