Administration
Cisco provides a few different options for authenticating individuals who connect to the switch (local, TACAS+, RADIUS, Kerberos).
For this article, we’ll be creating a local user account and employing Cisco’s AAA (Authentication, Authorization, and Accounting) features to control enforcement.
Create a User Account
Create a new username/password with a privilege level of 15 (full administrative controls). Cisco uses privilege levels from 0-15 to delineate between the various amount of control an account can have over the device. For more information, please see the Study CCNA website.
Switch (config)# username [username] privilege 15 secret [password]
Why secret and not password?
Back in the day, you’d use password rather than secret when specifying the password. This is no longer recommended as the password you enter will be encrypted using a weak, easily breakable cipher.
Rather its now best practices to always use secret when specifying passwords, preferably type 6 or 9. For more information see this great article on Cisco’s forums.
Enable AAA
Enable AAA services to control authentication, accounting and authorization.
Switch (config)# aaa new-model
Configure AAA so the switch will use the local database for authentication.
aaa authentication login default local
Configure AAA so when logging in you’ll be immediately in Privilege EXEC mode.
aaa authorization exec default local
Lastly, configure an enable secret. This is required to continue to have access via a console connection.
enable secret [password]
Configure Access Controls
For our final steps, configure the switch so access via the console will require a username and password.
Switch (config)# line con 0
Switch (config)# login local
Perform the same steps to require a username and password when logging in via SSH.
Switch (config)# line vty 0 15
Switch (config)# login local
Your new account is all setup, however access via a remote protocol such as SSH hasn’t yet been configured. See the next article to configure remote access.