Configure Local User-Specific Password

Unanswered Question
Aug 18th, 2010

I have a Cisco 3825 running IOS c3825-advsecurityk9-mz.124-22.YB5.bin

I'm trying to use the 'login local' command for the usernames I have created on the router for the aux, con and vty lines.

But when I try to configure the line, the command login is available to me.  But 'local' is not an available option.

Can anyone tell me if I should or shouldn't have available to me.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vragotha Wed, 08/18/2010 - 17:06

Are you using AAA?

It won't let you configure login local on the vty line

towerclear Thu, 08/19/2010 - 06:39

yes AAA is in my configuration.

can the same also be said, in addition to the vty line, the con 0, aux, etc lines as well, that login local is not available?

so both AAA and login local cannot be used at the same time?

vragotha Thu, 08/19/2010 - 09:59

You will need to specify the command through AAA.

Have you tried

aaa authentication login default local

towerclear Thu, 08/19/2010 - 11:14


I have read documentation from Cisco and from google searches regarding the addition of your proposed command.  I have not tried it yet.

Currently the aaa section of my config for my router has this:

aaa new-model

aaa local authentication attempts max-fail 3



aaa authentication login default group tacacs+ local enable

aaa authentication login Jay none

aaa authentication login towerclear none

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec local_author none

aaa authorization network default none



aaa session-id common

Unfortunaely my knowledge of aaa is limited and I'm having a hard time getting a grasp of it.  I know for sure that my router does not use any tacacs+ or radius but those command were put it for some reason.  I know that the only access is by the usernames and password I have created on to router device itself.

So will adding "aaa authentication login default local" have any impact on the other aaa authentication listed in my config?  i think the answer is no if i recall correctly from the reading i've done.



vragotha Thu, 08/19/2010 - 12:51


If you are not using TACACS, you can remove all the AAA commands and use login local under the vty lines

If you want to keep the commands, go ahead and use 'aaa authentication login default local'

towerclear Thu, 08/19/2010 - 12:59


Technically I'm not using TACACS but I think I want to keep that line there.

If I add 'aaa authentication login defualt local' what will that do?  does it affect all the lines, e.g. con 0, aux, vty, tty?  Or do I configure them individually?  I have to make sure the tty isn't effected.  I have a modem card installed into my routers for outside sites to dial into to transmit data.



vragotha Thu, 08/19/2010 - 13:21


'aaa authentication login default local', and a local username

and password configured will apply to all access to the device. You

don't need to configure anything on the lines individually

towerclear Thu, 08/19/2010 - 14:22


Based on your last response, will that effect the tty lines that recieve connections requiring a login and password?



towerclear Thu, 08/19/2010 - 15:13


Thanks,  that's what I was afraid of.  Then I cannot put it in.


vragotha Thu, 08/19/2010 - 16:52

I'd simply backup the AAA configurations and remove them for now. Use them later if you need.

towerclear Sun, 08/22/2010 - 17:50


The whole reason for the post was for a vulnerability for the local login.  The remediation simple states that I need to enter this command for the line(s) con 0, vty, etc:

hostname(config-line)# password LINE_PASSWORD

When I do "password ?" at the prompt the options are:

0, unencrypted

7, hidden

LINE, unencrypted

is there something I'm missing where the password can be encrypted?


Richard Burts Sun, 08/22/2010 - 21:14


If we can get a clear understanding of what your requirements are I believe that there are options for configuration that can accomplish them. If you want your vty and console to authenticate differently from what the tty uses for authentication this is quite possible (and I have done it for a customer). You configure one (perhaps tty) to use the default authentication method, and then you configure a different authentication method and configure vty and console to use that method.

Yes there is an option to get the passwords for vty and console to be encrypted. Use service password-encryption (in global configuration mode) and the passwords will be encrypted.




This Discussion

Related Content