Cisco Catalyst AAA Local Authentication

When using AAA local authentication on a catalyst switch, is there any need for a global 'enable secret' passwod statement?  Or does the 'username' command handle the password issues?
username cisco privilege 15 password 0 cisco
aaa new-model
aaa authentication login default local
aaa authorization console
aaa authorization exec default local 
!         
aaa session-id common
 
 
line con 0
 exec-timeout 0 0
line vty 0 4
 logging synchronous
 transport input ssh
line vty 5 15
 logging synchronous
 transport input ssh
!

Open in new window

jimmAsked:
Who is Participating?
 
DonbooConnect With a Mentor Commented:
To answer your question about the need for "enable secret" its yes and no, meaning that in theory if you create a user with a privilege level 15 it would be the same access level as the "enable secret" and thus "enable secret" is not needed. This is ofcourse when using AAA login local for all access methods ssh, telnet, http and console.

Normally I use a setup for vty/http access with username/password and for console I use a console password together with "enable secret" incase some decides to erase all users from the local database.

Even if you configure console access with AAA login local I´d still recommend using "enable secret".
0
 
ccsistaffCommented:
The username password statement is used for local authentication using aaa.
0
 
ccsistaffCommented:
As a side note, it's still a good idea to set an enable secret for security reasons.  Using the local username password command gives you control over privilege levels for each user allowed to login to the switch.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.