Local username authentication

As I get a lot of hits from Google refering to local login, here's the whole story: Cisco IOS supports local username/password based authentication (almost) forever (it's been there even before the AAA architecture). To change from simple password-based authentication to username+password based on, use login local configuration command on console and/or VTY lines. The local usernames and passwords are defined with the username configuration command. The Cisco IOS thus supports the following local (non-AAA) authentication settings:
  • no login disables any authentication; anyone able to access the line (console or VTY through telnet or SSH) is logged in automatically (do not use outside of lab environment).
  • login enables simple password-based authentication. The password is specified per-line (console or VTY) with the password command (do not specify different passwords on different VTY lines or you'll create total confusion).
  • login local enables local username+password authentication.

The login tacacs configuration command specifies the old TACACS protocol and is almost unusable these days.


This article is part of You've asked for it series.

Add comment
Sidebar