Setting Up User IDs

Setting Up User IDs

Problem

You want to assign individual (or group) user IDs and passwords to network staff.

Solution

To enable locally administered user IDs, use the following set of configuration commands:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#username ijbrown password oreilly
Router1(config)#username kdooley password cookbook
Router1(config)#aaa new-model
Router1(config)#aaa authentication login local_auth local
Router1(config)#line vty 0 4
Router1(config-line)#login authentication local_auth
Router1(config-line)#exit
Router1(config)#end
Router1#

The username command also allows you to create usernames without passwords by specifying the nopassword keyword:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#username weak nopassword
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default local
Router1(config)#end
Router1#

However, we strongly recommend against doing this because it can severely weaken the router's security.

Discussion

Enabling locally administered usernames overrides the default VTY password-based authentication system. When you enable the aaa new-model command, as shown in this recipe, the router will immediately begin to prompt for usernames as well as passwords. Assigning unique usernames to individuals or groups provides accountability, as we will show later. The following example shows the login prompt for a router using local authentication:

Freebsd%telnet Router1
Trying 172.25.1.5...
Connected to Router1.
Escape character is '^]'.

User Access Verification

Username: ijbrown
Password:

Router1>

The router prompts for the username as well as the password. Compare this to how the router behaves when just a password is set on the VTY lines:

Freebsd%telnet Router2
Trying 172.25.1.6...
Connected to Router2.
Escape character is '^]'.

User Access Verification

Password:

Router2>

When you configure locally administered usernames, the router will prompt for usernames on all lines, including the console and AUX ports, as well as the VTY ports used for Telnet sessions. To avoid locking yourself out of the router, you should always configure a username command before entering the AAA commands. It also is a good idea to use another session terminal to test the new authentication system before logging out of your original session. If you do accidentally lock yourself out of the router, you will need to follow the normal password-recovery procedures for your router type. We discuss AAA commands further in Chapter 4.

Locally administered usernames work well in a small environment with a limited number of administrators. However, this method does not scale well to a large network with many administrators. Keeping usernames synchronized across an entire network can become quite daunting. Fortunately, Cisco also supports an advanced authentication methodology called Authentication, Authorization, and Accounting (AAA), which we discuss in Chapter 4. AAA provides a centralized server that administers usernames and passwords (among other features).

Enabling username support causes the router to associate certain functions with usernames. This provides accountability for each username by showing exactly who is doing what. For instance, the output of the show users command will include active usernames:

Router1>show users
Line User Host(s) Idle Location
66 vty 0 ijbrown idle 00:36:21 freebsd.oreilly.com
67 vty 1 kdooley idle 00:00:24 server1.oreilly.com
* 68 vty 2 weak idle 00:00:00 freebsd.oreilly.com

Interface User Mode Idle Peer Address

Router1>

More importantly, log messages will capture the username of the individual who invoked certain high-profile commands, such as configuration changes, the clearing of counters, and reloads. For example:

Jun 27 12:58:26: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty2 (172.25.1.1)
Jun 27 13:02:22: %CLEAR-5-COUNTERS: Clear counter on all interfaces by weak on vty2 (172.25.1.1)
Jun 27 14:00:14: %SYS-5-RELOAD: Reload requested by kdooley on vty0 (172.25.1.1).

Notice that these log messages now include the username associated with each action. So instead of just knowing that somebody changed the configuration or reloaded the router, you can see exactly who did it.

In addition, the router captures the username of the last person to modify its configuration or save the configuration to NVRAM, which is visible using the show running-config:

Router1#show running-config 
Building configuration...

Current configuration : 4285 bytes
!
! Last configuration change at 12:58:26 EDT Fri Jun 27 2003 by ijbrown
! NVRAM config last updated at 13:01:45 EDT Fri Jun 27 2003 by kdooley
!
version 12.2

The username command also has an autocommand keyword, which you can use to assign an EXEC level command to a particular username. This is useful when you want to provide limited access to a particular command, while restricting access to everything else on the router. For example, you might want to set up a special username that anybody could use to run a single router command, and then terminate the session:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default local
Router1(config)#aaa authorization exec default local
Router1(config)#username run nopassword noescape
Router1(config)#username run autocommand show ip interface brief
Router1(config)#end
Router1#

In this example, we defined the username run without a password and assigned it an autocommand of show ip interface brief. When you log in to the router with this username, the router will not prompt for a password. It will just automatically execute the command and then terminate the session:

Freebsd% telnet Router1
Trying 172.22.1.4...
Connected to Router1.
Escape character is '^]'.

User Access Verification

Username: run
Interface IP-Address OK? Method Status Protocol
BRI0/0 unassigned YES NVRAM administratively down down
Ethernet0/0 172.25.1.8 YES NVRAM administratively down down
BRI0/0:1 unassigned YES unset administratively down down
BRI0/0:2 unassigned YES unset administratively down down
FastEthernet1/0 172.22.1.4 YES NVRAM up up
Loopback0 192.168.20.1 YES NVRAM up up Connection closed by foreign host.
Freebsd%

Notice how the router issued the command and then terminated the session without providing the opportunity to issue another command.

The noescape keyword prevents the user from issuing an escape sequence to access the router EXEC. We strongly recommend using this keyword whenever you use autocommands.

See Also