Publish Date: June 13, 2015

Configure Local Authentication on Router/Switch

Note: The following procedure is applicable on Cisco Routers as well as Switches.

Cisco IOS offers privilege levels as we see in other operating systems. In case of Cisco, the privileges are categorized in numeric 1 to 15. Privilege 15 is similar to administrator in Windows and root in Linux. This scheme is effective for enterprise environments where junior network administrators must be given limited access to router management and helpdesk team members can be given restricted access so that they can only view the configuration.

To establish a username-based authentication system, use the username command in global configuration mode. To enable password checking at login, use the login local command in line configuration mode.

Configuration Example

Cisco#configure terminal
Cisco(config)#username admin privilege 15 secret cisco@123
Cisco(config)#username user2 privilege 14 secret test@123
Cisco(config)#enable secret level 15 Password1
Cisco(config)#enable secret level 14 Password2
Cisco(config)#line vty 0 4
Cisco(config-line)#login local

The above configuration commands will create a local database of two users admin with privilege level 15 and user2 with privilege level 14. You can also set enable passwords for different privilege levels as shown above. In order to enforce local username and password check, you need to run login local command under line config mode as shown above.

CLI Command Privileges

When you create a user with privilege level less than 15, by default the user will have no access to run any configuration commands. Administrator need to manually assign the commands to specific user. Please see the example below to assign only specific set of commands that will be available for the user at different configuration modes.

Cisco#configure term
Cisco(config)#privilege exec level 14 show
Cisco(config)#privilege exec level 14 show running-config 
Cisco(config)#privilege exec level 14 configure
Cisco(config)#privilege exec level 14 configure terminal
Cisco(config)#privilege exec level 14 write memory
Cisco(config)#privilege exec level 14 copy run start 
Cisco(config)#privilege configure level 14 interface
Cisco(config)#privilege interface level 14 shutdown 
Cisco(config)#privilege interface level 14 no shutdown
Cisco(config)#privilege interface level 14 speed
Cisco(config)#privilege interface level 14 duplex
Cisco#copy run start

In the above configuration example, the lines preceding with privilege exec will assign the cli commands for user2 with privilege level 14 which will be available in user EXEC mode, lines preceding with privilege configure will assign the cli commands which the user will be able to run in global configuration mode, and lines preceding with privilege interface will assign the cli commands that the user will be able to run under interface configuration mode. The user2 having level 14 privilege will not be able to run any other command apart from those mentioned above. You see that this method can be used to assign granular control on commands to specific user.

The above example is just for demonstration purpose. You can assign the commands to other users as per your requirements in your network environment.


Microsoft Certified | Cisco Certified