Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Is a username required in IOS?

Does anyone here operate their routers & switches without a username specified? We don't use the username in our login or enable authentication (use vty and enable passwords), just wondering if there is some requirement for a username that I don't know about. Security-wise, we'd like to eliminate specifying a username, if possible.

Everyone's tags (1)
12 REPLIES
Hall of Fame Super Gold

Does anyone here operate

Does anyone here operate their routers & switches without a username specified?

Nope.  You require username/password if you want to contact the appliances remotely.  If all you do to connect to them is via console, then you're welcome not to have one.  

Security-wise, we'd like to eliminate specifying a username, if possible.

Doesn't make any sense.  Are you saying you're happy for anyone (and I mean ANYONE) to log into your router/switches?

New Member

No, a username is not

No, a username is not required to access this remotely -- we use the vty and enable passwords (which I mentioned above). Or one could use AAA + radius/tacacs which authenticates against active directory or something similar. Just wondering if the username can be totally eliminated.

New Member

yes, devices can be

yes, devices can be configured for no logins/passwords but think what is the benefit we get if we disable it?

If we dont secure the devices that are managing your critical data, probably the only benefit is ease of login and cost savings in terms of not deploying third party authentication devices.

not securing your logins has many disadvantages, just try googling it ;)

 


 

New Member

If you remove the password

If you remove the password from the VTY lines you will not be able to connect to the device!

OP, your question is both confusing and contradictory, you don't have username(s) configured, yet you would like to remove them?

Martin

New Member

No one said anything about

No one said anything about removing vty passwords, just the usernames. And I don't want a local database either.

I should be more clear, we do have a username configured, but it is never used, since we use vty/enable passwords (I know, telnet is not safe), or we use Tacacs, which doesn't use usernames either, in our configuration. So I'd like to remove all usernames.

(Later) Maybe I've answered my own question:  I just verified that a new router config contains *no* username statement. This leads me to believe it is not necessary for basic operations.

New Member

I was replying to Suraj above

I was replying to Suraj above who said about removing them.

That is the command to remove your username(s).

By default there are no users configured, it is beneficial though, for the reasons stated.

Martin

Super Bronze

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I've worked on small networks where only non-user specific passwords were used.  This in cases where there was only one or very, very few people who knew the passwords and performed device maintenance.

For somewhat larger networks, where muliple people could be doing maintenance, sometimes local usernames were configured so you could see "who" did the configuration changes.  (From a security perspective, not much better than just using global passwords, unless you also wanted to tie certain priviledge levels to a particular username.)

Lastly, in big networks, you normally have RADIUS or TACACS user account authenication.  The latter, of course, makes it much easier to add or revoke a new user to a set of devices.

New Member

I agree, better

I agree, better accountability with usernames. We do use Tacacs on a subset of network - in this case, is there any need to have a username specified (since our Tacacs doesn't use it either)?

Suraj2002, you misunderstood, I require *and* use authentication for login, I just don't use the username to do it.

 

Super Bronze

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Hmm, don't know if you cannot use a user name if using RADIUS or TACACS.  However, if you don't want usernames per real person, what about a generic name?  Everyone that knows the username and password, could use it.

New Member

You can have a local user

You can have a local user database.

Wen connecting via SSH a username is required.

Martin

New Member

I don't want a local username

I don't want a local username database, that is sort of the point of my question.  I want to delete all usernames, just wondering if this is feasible.

You *can* use SSH without using usernames, using Tacacs or Radius.

New Member

When using a local database

When using a local database you *do* have to create a username, this is what I was referring to.

You are connecting via Telnet (which isn't wise)

Martin

65
Views
0
Helpful
12
Replies