Creating Users on a Cisco Router

4

Having user accounts on a router makes life and logging much easier. When creating users on a Cisco router we can assign different privilege levels to different users to restrict access to certain commands. You may want a junior admin to see a few things to help you troubleshoot but you don’t want him to be able to change anything.
In the following example we are going to add 2 local user accounts, one with the default privilege level (0) and one with full privilege level (15).

The privilege word is optional. When left out the default level will be applied.

required steps

We need to be in global configuration mode in order to create user accounts. The command is pretty simple, only one line.

username username password password.

Creating user accounts is not enough though, we need to tell the router to use them too! We can accomplish this by selecting the line we want to apply it to and issue the login local command.

R1#conf terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#line vty 0 ?
  <1-181>  Last Line number
  <cr>

R1(config)#line vty 0 181
R1(config-line)#login local
R1(config-line)#

optional commands

By default, user account passwords are stored in clear text in the configuration. We could use the service password-encryption command to apply a basic level of encryption on all clear text passwords. It is considered weak as it can be decrypted easily. You can test it yourself with this online decrypter.
It’s better practice to use the secret when creating users instead of the password as it’s encryption is much stronger. The syntax is:

username username secret secret password

configuration

Let’s start by enabling service password-encryption and creating a user with the default privilege level of 0 and using the password command.

R1#conf terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#service password-encryption
R1(config)#username JuniorAdmin password C1sc0
R1(config)#

Now create the second user but this time set the privilege level to 15 and use the secret to set the password.

R1(config)#username Admin ?
  aaa                  AAA directive
  access-class         Restrict access by access-class
  autocommand          Automatically issue a command after the user logs in
  callback-dialstring  Callback dialstring
  callback-line        Associate a specific line with this callback
  callback-rotary      Associate a rotary group with this callback
  dnis                 Do not require password when obtained via DNIS
  nocallback-verify    Do not require authentication after callback
  noescape             Prevent the user from using an escape character
  nohangup             Do not disconnect after an automatic command
  nopassword           No password is required for the user to log in
  password             Specify the password for the user
  privilege            Set user privilege level
  secret               Specify the secret for the user
  user-maxlinks        Limit the user's number of inbound links
  view                 Set view name
  <cr>

R1(config)#username Admin privilege ?
  <0-15>  User privilege level

R1(config)#username Admin privilege 15 ?
  aaa                  AAA directive
  access-class         Restrict access by access-class
  autocommand          Automatically issue a command after the user logs in
  callback-dialstring  Callback dialstring
  callback-line        Associate a specific line with this callback
  callback-rotary      Associate a rotary group with this callback
  dnis                 Do not require password when obtained via DNIS
  nocallback-verify    Do not require authentication after callback
  noescape             Prevent the user from using an escape character
  nohangup             Do not disconnect after an automatic command
  nopassword           No password is required for the user to log in
  password             Specify the password for the user
  privilege            Set user privilege level
  secret               Specify the secret for the user
  user-maxlinks        Limit the user's number of inbound links
  view                 Set view name
  <cr>

R1(config)#username Admin privilege 15 secret C1sc0
R1(config)#

All is left to do is to instruct the router to use the local database at logon on the desired line(s). Here is how to set it up on the console line only.

R1#conf terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#line console 0
R1(config-line)#login local
R1(config-line)#

verification

Log out and log in as JuniorAdmin. His privilege level is 0.

R1 con0 is now available

Press RETURN to get started.





User Access Verification

Username: JuniorAdmin
Password:
R1>

Log out again and log in as Admin.

R1 con0 is now available

Press RETURN to get started.





User Access Verification

Username: Admin
Password:
R1#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
R1#

See the difference? Because JuniorAdmin has a privilege level of 0 he arrives to EXEC mode when he logs in. If he wants to see the running configuration or make changes he needs to enter the enable password or enable secret passwords (whichever is configured), while the user Admin arrives to Privileged mode directly and he can start fooling around without having to enter another password.

Instead of applying the login local command on specific lines, you could make it the default form of authentication on all lines by using the following global configuration commands:

R1(config)#aaa new-model
R1(config)#aaa authentication login default local

When this method is used all users arrive into EXEC mode regardless of their privilege level! If the enable password or enable secret is not set, they will not be able to enter into Privileged Mode!

Check the running configuration for usernames.

R1#show run | section username
username AUTH_R2 password 7 00364313100819
username JuniorAdmin password 7 08021D5D0A49
username Admin privilege 15 secret 5 $1$E9mL$mNFzh1/nqz4nhA.rLm8fp0
R1#

Note the difference between the encryption of the password and the secret! Secret looks -and it is- much more complicated!

Here is a little extra. Remember, I’ve started this tutorial by saying that having user accounts makes logging easier? Have a look at this snippet from the running configuration.

R1#show run
Building configuration...

Current configuration : 1013 bytes
!
! NVRAM config last updated at 21:30:19 UTC Sat Feb 5 2011 by Admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
 --More--

If the time and date is set on the router, the configuration file will store a timestamp and the name of the user who last saved it.

commands explained

Commands used with a brief explanation.

service password-encryption: Enables light encryption on all clear text passwords
username JuniorAdmin password C1sc0: Creates a user called JuniorAdmin with a password C1sc0
username Admin privilege 15 secret C1sc0: Creates a user called Admin with privilege level 15 and a strong password
line console 0: Selects the console line
login local: Instructs the router to use the local database to authenticate at log on instead of the line password (if there is one set)
copy run start: Saves the running cinfiguration to the NVRAM
show run | section username: Shows the username section from the running configuration

Sisko Warrior

4 Responses

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.