Cisco Catalyst AAA Local Authentication

Posted on 2009-04-30
Last Modified: 2012-06-21
When using AAA local authentication on a catalyst switch, is there any need for a global 'enable secret' passwod statement?  Or does the 'username' command handle the password issues?
username cisco privilege 15 password 0 cisco

aaa new-model

aaa authentication login default local

aaa authorization console

aaa authorization exec default local 


aaa session-id common

line con 0

 exec-timeout 0 0

line vty 0 4

 logging synchronous

 transport input ssh

line vty 5 15

 logging synchronous

 transport input ssh


Open in new window

Question by:jimm
    LVL 3

    Expert Comment

    The username password statement is used for local authentication using aaa.
    LVL 3

    Expert Comment

    As a side note, it's still a good idea to set an enable secret for security reasons.  Using the local username password command gives you control over privilege levels for each user allowed to login to the switch.  
    LVL 9

    Accepted Solution

    To answer your question about the need for "enable secret" its yes and no, meaning that in theory if you create a user with a privilege level 15 it would be the same access level as the "enable secret" and thus "enable secret" is not needed. This is ofcourse when using AAA login local for all access methods ssh, telnet, http and console.

    Normally I use a setup for vty/http access with username/password and for console I use a console password together with "enable secret" incase some decides to erase all users from the local database.

    Even if you configure console access with AAA login local I´d still recommend using "enable secret".

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Hello All, I have been training on Multicast for a while now and whenever I start the topic , I find out that my friends /  Colleagues mention that they do not know how to test Multicast Joins. As most of the multicast would be video traffic and …
    PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now