Cisco Catalyst AAA Local Authentication

Posted on 2009-04-30
Medium Priority
Last Modified: 2012-06-21
When using AAA local authentication on a catalyst switch, is there any need for a global 'enable secret' passwod statement?  Or does the 'username' command handle the password issues?
username cisco privilege 15 password 0 cisco
aaa new-model
aaa authentication login default local
aaa authorization console
aaa authorization exec default local 
aaa session-id common
line con 0
 exec-timeout 0 0
line vty 0 4
 logging synchronous
 transport input ssh
line vty 5 15
 logging synchronous
 transport input ssh

Open in new window

Question by:jimm
  • 2

Expert Comment

ID: 24272755
The username password statement is used for local authentication using aaa.

Expert Comment

ID: 24272769
As a side note, it's still a good idea to set an enable secret for security reasons.  Using the local username password command gives you control over privilege levels for each user allowed to login to the switch.  

Accepted Solution

Donboo earned 2000 total points
ID: 24273405
To answer your question about the need for "enable secret" its yes and no, meaning that in theory if you create a user with a privilege level 15 it would be the same access level as the "enable secret" and thus "enable secret" is not needed. This is ofcourse when using AAA login local for all access methods ssh, telnet, http and console.

Normally I use a setup for vty/http access with username/password and for console I use a console password together with "enable secret" incase some decides to erase all users from the local database.

Even if you configure console access with AAA login local I´d still recommend using "enable secret".

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month16 days, 18 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question