Working with Router Users
User accounts are required on a router in order to log in. These accounts can be stored in a local database on the router or on a central access server named Terminal Access Controller Access-Control System (TACACS), which is an industry-standard authentication server.
Most small organizations and even some larger ones rely on the local database for user authentication, this is the user creation option described.
To use the local database for authentication, you need to follow these two steps:
Create at least one user account.
Configure your router to use the local database rather than a password, which is done on an interface basis.
Creating a user in the account database
To create a user in the account database, use a command like the following to specify the username and password:
Router2>enable Password: Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#username remoteuser password remotepass Router2(config)#username edt password edpass Router2(config)#exit
Removing a user
To remove a user, you can use the standard no command and then specify the username in the same way that following the command removes the user named remoteuser from the local database.
Router2>enable Password: Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#no username remoteuser Router2(config)#exit
Enable user-level protection
Finally, you need to enable the login local setting on the interfaces you want to protect with this user-level protection, using a command similar to the following:
Router2>enable Password: Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#line aux 0 Router2(config-line)#login local Router2(config-line)#exit Router2(config)#exit
Showing connected users
At times, you will want to find out who is connected to your router and performing management operations. You can easily do so using the show users command. Here is an example of the output:
Router2>enable Password: Router2#show users all Line User Host(s) Idle Location * 0 con 0 idle 00:00:00 65 aux 0 00:00:00 66 vty 0 idle 00:02:01 192.168.1.3 67 vty 1 00:00:00 68 vty 2 00:00:00 69 vty 3 00:00:00 70 vty 4 00:00:00 71 vty 5 remoteuser idle 00:01:05 192.168.1.137 Interface User Mode Idle Peer Address
One line, listed with an asterisk, identifies the connection from which you ran the command. In addition, connections that do not show a user in the User column, such as vty 0, represent connections where a password was used for authentication, whereas the connection on vty 5 was made with user authentication. Forcing systems to use user-based authentication lets you see who is connected to the management interfaces.