Lines and local user authentication

5.1 Configure and verify device access control

📘CCNP Encore (350-401-ENCORE-v1.1)

1. What is Device Access Control?

Device access control means controlling who can access a network device (router or switch) and how they access it.

Cisco devices support different access methods, such as:

  • Console access (physical)
  • Remote access (SSH or Telnet)
  • Auxiliary access (legacy modem)

To secure these access methods, Cisco uses:

  • Lines (console, VTY, AUX)
  • Authentication methods (local users, passwords, or AAA)

This sub-topic focuses on:

  • Lines
  • Local user authentication

2. What Are Lines in Cisco IOS?

In Cisco IOS, a line represents a connection method used to access the device.

Types of Lines (Exam Important)

Line TypePurpose
Console lineLocal physical access
VTY linesRemote access (SSH/Telnet)
AUX lineLegacy remote access via modem

Each line can have:

  • Passwords
  • Login methods
  • Timeout settings
  • Transport settings (SSH/Telnet)

3. Console Line (line console 0)

What is the Console Line?

  • Used for direct physical access
  • Requires a console cable
  • Works even if the device has no IP address
  • Used for initial configuration and recovery

There is only one console line:

line console 0

Console Line Authentication

By default, the console has no security.

To protect it, you can use:

  1. Line password
  2. Local user authentication

Console Line with Password (Basic Method)

line console 0
 password cisco
 login

Explanation:

  • password cisco → sets a password
  • login → forces password checking

📌 Exam Note:
This method is less secure and not recommended for production networks.

Console Line with Local User Authentication (Recommended)

username admin secret Admin@123
line console 0
 login local

Explanation:

  • username admin secret Admin@123 → creates a local user
  • login local → tells the console to use the local user database

✔ More secure
✔ Uses usernames instead of shared passwords

4. VTY Lines (Virtual Terminal Lines)

What Are VTY Lines?

VTY lines are used for remote access to the device.

They support:

  • SSH (secure – recommended)
  • Telnet (not secure)

Common VTY lines:

line vty 0 4
line vty 0 15

VTY Line Access Methods

MethodSecurity Level
TelnetNot secure (plaintext)
SSHSecure (encrypted)

📌 Exam Requirement:
SSH should always be preferred over Telnet.

VTY Lines with Password (Old Method)

line vty 0 4
 password cisco
 login

⚠ Not secure
⚠ Same password for all users

VTY Lines with Local User Authentication (Recommended)

username admin secret Admin@123
line vty 0 4
 login local

What happens here?

  • User connects via SSH/Telnet
  • Device asks for username and password
  • Credentials are checked against the local user database

Allow Only SSH on VTY Lines (Exam Critical)

line vty 0 4
 transport input ssh

This:

  • Blocks Telnet
  • Allows only SSH access

✔ Strongly tested in CCNP exams

5. Local User Authentication

What Is Local User Authentication?

Local user authentication means:

  • Usernames and passwords are stored locally on the device
  • No external server is needed

Users are created using:

username <name> secret <password>

Password vs Secret (Very Important)

CommandEncryption
passwordWeak (Type 0 or 7)
secretStrong (Type 5 or better)

📌 Always use secret, not password.

Example Local Users

username admin secret Admin@123
username network secret Net@456

Each user can log in independently.

6. How Local Authentication Works (Step-by-Step)

  1. User connects via console or SSH
  2. Line has login local
  3. Device prompts for username
  4. User enters username
  5. Device asks for password
  6. Credentials are verified against local database
  7. Access is granted or denied

7. AUX Line (Auxiliary Line)

What Is AUX Line?

  • Used for modem-based remote access
  • Rarely used today
  • Still part of IOS for legacy reasons

Command:

line aux 0

Authentication works the same way as console and VTY lines.

8. Line Timeouts (Security Feature)

To disconnect inactive sessions:

line console 0
 exec-timeout 5 0

This means:

  • Disconnect after 5 minutes
  • Prevents unattended sessions

9. Verifying Line and Authentication Configuration (Exam Commands)

Show Line Status

show line

Shows:

  • Line numbers
  • Connection status
  • Active sessions

Show Users Logged In

show users

Displays:

  • Who is currently logged in
  • Which line they are using

Show Local Users

show running-config | section username

Confirms:

  • Local users
  • Encrypted passwords

Show VTY Configuration

show running-config | section line vty

Verifies:

  • login local
  • transport input ssh

10. Common Exam Mistakes to Avoid

❌ Using login instead of login local
❌ Using password instead of secret
❌ Allowing Telnet on VTY lines
❌ Forgetting to create a local user
❌ Not securing console access

11. Exam Summary (Must-Remember Points)

✔ Lines control how users access the device
✔ Console = physical access
✔ VTY = remote access (SSH/Telnet)
✔ Local authentication uses device-stored users
login local enables username-based login
username <name> secret <password> is best practice
✔ SSH is required for secure remote access
✔ Verification commands are important for troubleshooting

12. One-Page Quick Exam Checklist

  • line console 0
  • line vty 0 4 or 0 15
  • username admin secret
  • login local
  • transport input ssh
  • exec-timeout
  • show line, show users
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by