Difference between Cisco Login & Login Local Commands

There are two commands login and login local under line VTY, CONSOLE and AUX configuration in Cisco IOS,  login command is used for  access the device using password  which is configured under line configuration and login local command is used for  access the device using local username database.

Login Command Configuration on Line VTY

I have configured login command under line VTY and local username database as below.

ciscoconsole#sh run | b line vty
line vty 0 4
password cisco
login
transport input all
line vty 5 15
password cisco
login
transport input all
!
We can configure local user accounts on a Cisco router or switch and it is much easier to login when login fallback from Tacacs+/Radius to  local. When you are creating users on a Cisco router we can assign different privilege levels(0-15) to different users to restrict access to certain commands. You may want a junior admin to see a few things to help you troubleshoot but you don’t want him to be able to change anything. Level 1 will direct the user to user exec mode when they log in and without the user knowing what the enable password or secret is, they will not be able to enter enable mode. Level 15 on the other hand will send the user directly to enable mode when they log in, as their account’s password will be a level 15 (privileged exec) password.

ciscoconsole#sh run | i username
username cisco privilege 15 password 0 cisco

SSH configuration on Cisco Router

ciscoconsole(config)#ip domain-name ciscoconsole.com
ciscoconsole(config)#crypto key generate rsa general-keys modulus 1024

The name for the keys will be: R1.ciscoconsole.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable…
[OK] (elapsed time was 1 seconds)

ciscoconsole (config)#
*Jan  5 12:22:53.923: %SSH-5-ENABLED: SSH 2.0 has been enabled
ciscoconsole(config)#ip ssh version 2
ciscoconsole(config)#ip ssh time-out 120

When I tried to access the device with Telnet , got login prompt with password only.  I able to login with password which is configured under line VTY.

User Access Verification
 
Password:
R1>

But  when I tried to login with SSH, got username and password prompt and access denied after entered  local username & password.

login as: cisco
cisco@192.168.1.200’s password:
Access denied
cisco@192.168.1.200’s password:

I have observed below logs on Cisco Router

000209: *Dec 22 09:26:25.059 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: 192.168.66.66] [localport: 22] [Reason: Login Authentication Failed] at 09:26:25 UTC Tue Dec 22 2015
000210: *Dec 22 09:26:33.778 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: 192.168.66.66] [localport: 22] [Reason: Login Authentication Failed] at 09:26:33 UTC Tue Dec 22 2015
000211: *Dec 22 09:27:03.777 UTC: %SSH-5-SSH2_USERAUTH: User ‘admin’ authentication for SSH2 Session from 192.168.66.66 (tty = 1) using crypto cipher ‘aes256-cbc’, hmac ‘hmac-sha1’ Failed
000212: *Dec 22 09:27:03.777 UTC: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.66.66 (tty = 1) for user ‘admin’ using crypto cipher ‘aes256-cbc’, hmac ‘hmac-sha1’ closed
000213: *Dec 22 09:32:20.280 UTC: %SSH-5-SSH_SESSION: SSH Session request from 192.168.66.66 (tty = 1) using crypto cipher ‘3DES’ Succeeded
000214: *Dec 22 09:32:37.829 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: 192.168.66.66] [localport: 22] [Reason: Login Authentication Failed] at 09:32:37 UTC Tue Dec 22 2015
000215: *Dec 22 09:32:53.449 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: 192.168.66.66] [localport: 22] [Reason: Login Authentication Failed] at 09:32:53 UTC Tue Dec 22 2015
000216: *Dec 22 09:32:57.739 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (192.168.66.66)
000217: *Dec 22 09:33:53.447 UTC: %SSH-5-SSH_USERAUTH: User ‘admin’ authentication for SSH Session from 192.168.66.66 (tty = 1) using crypto cipher ‘3DES’ Failed
000218: *Dec 22 09:33:53.447 UTC: %SSH-5-SSH_CLOSE: SSH Session from 192.168.66.66 (tty = 1) for user ‘admin’ using crypto cipher ‘3DES’ closed
000219: *Dec 22 09:35:22.707 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (192.168.66.66)

Login Local configuration on Line VTY

After configuration login local command on line VTY, I am able to login successfully with local username database as  configured above.

ciscoconsole#sh run  | b line vty
line vty 0 4
password cisco
login local
transport input all
line vty 5 15
password cisco
login local
transport input all
!

login as: cisco
Using keyboard-interactive authentication.
Password:
 
ciscoconsole#

Difference between  Cisco Login & Login Local commands

Final conclusion

Login tells the Cisco device to check if there is a password configured on the line configuration, if yes, then when the user tried to login into the Cisco device, the device will request this password before going to the exec mode. Cisco device not allowed to configure login command without password on Line VTY and It will give below error. For SSH login always required username and password so we can’t access the device using SSH and will get access denied.

ciscoconsole(config)#line vty 0 15
ciscoconsole(config-line)#login
% Login disabled on line 2, until ‘password’ is set
% Login disabled on line 3, until ‘password’ is set
% Login disabled on line 4, until ‘password’ is set
% Login disabled on line 5, until ‘password’ is set
% Login disabled on line 6, until ‘password’ is set
% Login disabled on line 7, until ‘password’ is set
% Login disabled on line 8, until ‘password’ is set
% Login disabled on line 9, until ‘password’ is set
% Login disabled on line 10, until ‘password’ is set
% Login disabled on line 11, until ‘password’ is set
% Login disabled on line 12, until ‘password’ is set
% Login disabled on line 13, until ‘password’ is set
% Login disabled on line 14, until ‘password’ is set
% Login disabled on line 15, until ‘password’ is set
% Login disabled on line 16, until ‘password’ is set
% Login disabled on line 17, until ‘password’ is set

Login local tells the Cisco device to use the local username/password database when user is trying to access the device. It will prompt for username and password for both Telnet/SSH access. You can access the device using Telnet/SSH with local username database. Note that if there is no local username/password set in the line, you will be locked out of the device.

Filed Under: Cisco IOS

Tags:

About the Author:

RSSComments (0)

Trackback URL

Leave a Reply




If you want a picture to show with your comment, go get a Gravatar.