Local username authentication

As I get a lot of hits from Google refering to local login, here's the whole story: Cisco IOS supports local username/password based authentication (almost) forever (it's been there even before the AAA architecture). To change from simple password-based authentication to username+password based on, use login local configuration command on console and/or VTY lines. The local usernames and passwords are defined with the username configuration command. The Cisco IOS thus supports the following local (non-AAA) authentication settings:
  • no login disables any authentication; anyone able to access the line (console or VTY through telnet or SSH) is logged in automatically (do not use outside of lab environment).
  • login enables simple password-based authentication. The password is specified per-line (console or VTY) with the password command (do not specify different passwords on different VTY lines or you'll create total confusion).
  • login local enables local username+password authentication.

The login tacacs configuration command specifies the old TACACS protocol and is almost unusable these days.

This article is part of You've asked for it series.

Add comment