Username / Password Authentication in Cisco IOS

The last thing I want to do when some network administrator leaves my organization is change all the login passwords on the Cisco network devices. (For now, let's just assume the administrator in question didn't know the enable secret.) If you have relatively few machines, it's easy to setup username / password authentication in IOS without a centralized service like RADIUS or TACACS+.

Cisco IOS is able to store usernames and passwords locally. This means that you can maintain your user list directly on the router or switch. The configuration for this is so simple, I've included it below, complete with your first user.

aaa new-model
aaa authentication login default local
username slap secret Zivgoolut

The first line turns on the new authentication model. The second line sets the default authentication mechanism to the "local" database — that's the list of users you are going to be entering by hand. The final line adds a user called 'slap' with password 'Zivgoolut'. The password is hashed inside the configuration.

And that's it. With these three lines, you've now changed your Cisco router or switch to require a username for the purposes of authentication. If you telnet to your router, you should see the following lines.

User Access Verification


Mission accomplished!

My Bookshelf

Reading Now

Other Stuff