- June 13, 2015
- Posted by: Surender Kumar
- Category: Cisco Routers
Configure Local Authentication on Router/Switch
Note: The following procedure is applicable on Cisco Routers as well as Switches.
Cisco IOS offers privilege levels as we see in other operating systems. In case of Cisco, the privileges are categorized in numeric 1 to 15. Privilege 15 is similar to administrator in Windows and root in Linux. This scheme is effective for enterprise environments where junior network administrators must be given limited access to router management and helpdesk team members can be given restricted access so that they can only view the configuration.
To establish a username-based authentication system, use the username command in global configuration mode. To enable password checking at login, use the login local command in line configuration mode.
Cisco#configure terminal Cisco(config)#username admin privilege 15 secret [email protected] Cisco(config)#username user2 privilege 14 secret [email protected] Cisco(config)#enable secret level 15 Password1 Cisco(config)#enable secret level 14 Password2 Cisco(config)#line vty 0 4 Cisco(config-line)#login local Cisco(config-line)#end
The above configuration commands will create a local database of two users admin with privilege level 15 and user2 with privilege level 14. You can also set enable passwords for different privilege levels as shown above. In order to enforce local username and password check, you need to run login local command under line config mode as shown above.
CLI Command Privileges
When you create a user with privilege level less than 15, by default the user will have no access to run any configuration commands. Administrator need to manually assign the commands to specific user. Please see the example below to assign only specific set of commands that will be available for the user at different configuration modes.
Cisco#configure term Cisco(config)#privilege exec level 14 show Cisco(config)#privilege exec level 14 show running-config Cisco(config)#privilege exec level 14 configure Cisco(config)#privilege exec level 14 configure terminal Cisco(config)#privilege exec level 14 write memory Cisco(config)#privilege exec level 14 copy run start Cisco(config)#privilege configure level 14 interface Cisco(config)#privilege interface level 14 shutdown Cisco(config)#privilege interface level 14 no shutdown Cisco(config)#privilege interface level 14 speed Cisco(config)#privilege interface level 14 duplex Cisco(config)#end Cisco#copy run start Cisco#
In the above configuration example, the lines preceding with privilege exec will assign the cli commands for user2 with privilege level 14 which will be available in user EXEC mode, lines preceding with privilege configure will assign the cli commands which the user will be able to run in global configuration mode, and lines preceding with privilege interface will assign the cli commands that the user will be able to run under interface configuration mode. The user2 having level 14 privilege will not be able to run any other command apart from those mentioned above. You see that this method can be used to assign granular control on commands to specific user.
The above example is just for demonstration purpose. You can assign the commands to other users as per your requirements in your network environment.