Cisco IOS – Add Local User and Require Login on Console

In this post I will be outlining how to add a local user to a Cisco router or switch and enforce that router or switch to require a local user login when accessing the device from the console. For this post I will be assuming you have a Cisco router or switch running IOS that does not have any user created on the device and are currently connected on the console port of the device in user exec mode.

Preparation:

In order to make the required changes you will need to be in global config mode.

 

Adding a User:

From global config mode you will be able to add the user you wish to login with. One thing to note this information will be stored in the running config which is plain text but after submitting the password it will be encrypted so when issuing a show run you will not be able to see the password. When adding a user you will also specify the privilege level which if you are not familiar with privilege level it specifies the level of access the user has to modify configuration on the system.

Below is the command to create an administrative user ‘kyle’ and store the password in the running config as an encrypted string.

username kyle: Specifies the user we are creating is ‘kyle’

privilege 15: Gives the user ‘kyle’ the highest privileges on the system

secret 0 P@ssword: Sets the users password to ‘P@ssword’ and ‘secret 0’ will tell the system that the following string will be an unencrypted string that is the password. One thing to remember is when storing the password in the running and startup configuration it will encrypt it so someone simply looking at the config wont know your password.

 

Now if we show the running config we can see that our user shows up and the password is stored as an encrypted string

At this point if we log all the way out and attempt to login again we will notice we were never prompted to login with our user, this is because we have not told the system to require a login on the console interface.

 

Requiring Login on Console Interface:

In your running config you will be able to see that your line console interface does not have any configuration on it.

So we will need to enter global config mode and configure the ‘line con 0’ interface to require a login that will authenticate against the local database of users inside the running config on the system.

Below are the commands to do this.

As you can see we first entered global config mode then entered line con 0 and issued the command ‘login local’ that is the command that will enable your device to start requiring a username and password on the console interface.

 

Now if we exit until we are presented with the initial console screen and hit enter we will see it prompts us for a username and password to login.

 

That is all you need to do to configure local password authentication on the console interface. To make your configuration stay persistent through reboots make sure you copy the runningĀ  config to startup config with either ‘copy run start’ or ‘write memory’.

Be the first to comment

Leave a Reply

Your email address will not be published.


*