Sign in Subscribe
CCNA

'Login local' on a Cisco Router

Jay

2 min read
'Login local' on a Cisco Router

When configuring access to a Cisco router, you have several options for authentication. One common method is using login local, which authenticates users against locally configured usernames and passwords stored on the router itself.

What is Login Local?

The login local command tells the router to authenticate users using the local user database instead of requiring a password for the default user or using external authentication servers like TACACS+ or RADIUS.

Configuring Login Local

To configure login local authentication, you need to:

  1. Create local user accounts
  2. Configure the line (console, vty, or aux) to use local authentication

Step 1: Create Local User Accounts

First, create usernames and passwords in global configuration mode:

Router(config)# username admin privilege 15 secret cisco123
Router(config)# username user1 privilege 1 secret password1
Router(config)# username user2 privilege 5 secret password2

The privilege levels determine what commands users can execute:

  • Privilege 1: User EXEC mode (limited commands)
  • Privilege 15: Privileged EXEC mode (full access)
  • Privilege 2-14: Custom privilege levels

Step 2: Configure Line Authentication

Apply login local to the appropriate lines:

Console Line:

Router(config)# line console 0
Router(config-line)# login local
Router(config-line)# exit

VTY Lines (Telnet/SSH):

Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# transport input ssh
Router(config-line)# exit

AUX Line:

Router(config)# line aux 0
Router(config-line)# login local
Router(config-line)# exit

Verification

To verify your configuration:

Router# show running-config | section username
Router# show running-config | section line

You can also test by logging out and logging back in, or by opening a new session.

Security Considerations

  • Use strong passwords for all user accounts
  • Regularly review and update user accounts
  • Consider using secret instead of password for better encryption
  • Implement appropriate privilege levels to follow the principle of least privilege
  • For production environments, consider using external authentication servers (TACACS+ or RADIUS)

Common Issues

If you're locked out after configuring login local:

  • Ensure you created at least one user account before applying login local
  • Check that privilege levels are set correctly
  • Use console access if VTY access is not working
  • In worst case, use password recovery procedures

The login local command is essential for securing router access while maintaining local control over user authentication.

Sign up for more like this.

Enter your email
Subscribe