Menu Close

How to Configure a Local Username Database in the Cisco IOS

How to Configure a Local Username Database in the Cisco IOS

In this article, we will take a step further in securing our Cisco router by using a local username / password database in the Cisco IOS. Thus, a user must know a username AND password to be granted access to the Cisco IOS. Let’s see how this is done.

Preparing for Cisco CCNP Exams? These are the videos you need to get certified…

Whether you are studying for the BCSI, BCMSN, ONT, ISCW or all four, Train Signal’s Cisco CCNP Training Series is the best out there. The instructor uses a "hands-on" method for teaching complex technologies. Each video covers all the bases and gives you more than enough test prep to pass any of your CCNP exams!

Daniel Petri

Click Here to Watch the Cisco CCNP Training Videos!

document.context=’YTowOnt9′; <a href=’;cb=INSERT_RANDOM_NUMBER_HERE’ target=’_blank’><img src=’;n=a32a6c46′ border=’0′ alt=” /></a>

Local Authentication

The most basic level of security you can configure on a Cisco IOS device is a password. When this is done, a password is assigned to allow access to the privileged/global configuration mode, and to protect initial entry to the user mode of the IOS.

However, the Cisco IOS can take this a step further, and have actual usernames and passwords assigned for access. By doing this, you have the real name of the person who is accessing the device. If you chose to do so, this username could be logged so that you know when that user logged into the router, and when they logged off.

The Cisco IOS can, of course, also support external authentication through services like Cisco ACS and RADIUS. In this example, we will create a basic local authentication database containing usernames and passwords, and then use that to login to the Cisco IOS device.

Creating the Database

To create the user database, you use the username command. Let’s create 2 users with different privileges. The Admin user will have level 15 (Cisco administrator / super-user access). The user Bob will have level 7 access (moderate user access). Here is how it is done:

username admin priv 15 password cisco
username bob priv 7 password cisco

Once these users are created, you need to enable the login on the lines to use the local database instead of just the line password, or no password at all.

Enabling Lines to use the Local Authentication Database

To tell each line to use these new user logins, you must go to each line and perform the login local command. This is different than just the login command, by itself. The login command enables password checking. By using only the login command, you are only enabling password checking for the line password, configured on that line. By using login local, you are telling the device to use the locally configured accounts in the username database.

Here is how you configure it:  

Let’s test it out!

Testing Local Login Authentication

To test our new usernames and the local line authentication we configured, log out of the router. Log back in and you should be prompted with a Username: prompt.

The enable secret command does encrypt the password with a strong encryption mechanism and it also sets a password to enter enable mode. Here is how you configure an enable secret password:

Testing Password Configuration

To test our new password configuration from the console port, exit out of all IOS modes. Once logged off, press enter to log back in.

Here is an example where I logged in with the admin account we created. I used the password “cisco”. Notice how I was immediately brought to the Router# prompt, without having to type an enable password. This is because I used the command privilege 15 on the username when I created it. That level of privilege also gives me full administrative access to the router.

After logging off, I logged back in as the bob user. Here is an example:

Notice in this example that this user was put into privilege mode 7, but this mode still didn’t allow them to access the global configuration mode. You can get very advanced when it comes to configuring privilege levels and commands in privilege levels.

At this point, we have successfully tested our local username authentication database and our two different users.


In this article, we learned how to configure a local username/password database in the Cisco IOS. We configured our lines (aux, console, and vty) to use the local database using the login local command. We then used that database for local login authentication. The privilege command can also be used to set privileges for these users. There are many more options for the username and privilege commands. For more information on configuring Cisco IOS usernames, see the Cisco documentation username command reference.

About the writer

David Davis (CCIE #9369, CWNA, MCSE, CISSP, Linux+, CEH) has been in the IT industry for 15 years. Currently, he manages a group of systems/network administrators for a privately owned retail company and authors IT-related material in his spare time. He has written over fifty articles, eight practice tests and three video courses and has co-authored one book. His website is at

David Davis is also one of the forum moderators.

Rate this post

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.