Instructor Mark Jacob was presenting a Power Lecture in the studio on the Cisco IOS Login vs Login Local.
Transcription
I wanted to address a question that I get fairly frequently when teaching Cisco CCNA classes. It’s regarding logging in to Cisco IOS devices. The question is, how is it that sometimes it says Login and, other times, it says, Login Local? What is the impact of typing the command one way or the other?
Let’s find out what the difference is between Login and Login Local in the Cisco IOS
I have a simple scenario set up that consist of a Router 1 and Router 2.
(One of my favorite ways to demo networking environments is to build it in GNS3. It’s a great tool and it’s free to download.
These routers are directly connected to 10.1.1.1 and 10.1.1.2. I have set up Router 1 so that Router 2 can access it remotely.
Let’s go ahead and take a look at the configuration on Router 1. I’ll do a show run. R1#sh run
The main part that I care about is way down at the bottom, the config, so by scrolling down, notice on my VTY line, I have a password and Login.
Let’s go ahead and head over to Router 2 and see if I can access Router 1 via Telnet.
Now, I can type Telnet 10.1.1.1
What’s interesting is, if you forget the word Telnet and just type 10.1.1.1, it’s still going to try to Telnet.
The IOS is notifying me; (you can’t come in unless you know the super-secret password!) It’s fairly obvious what it is. It’s over here. cisco
For demonstration, I’ll type it wrong first.
Nope, no good. Let’s do it correctly cisco.
I am now on Router 1.
You may be thinking “I’m glad I set this up because now I’m at home and I’m logged in to this device”…..”I remembered to setup remote access and I have successfully reached Router 1. Now, I can make some changes”. Sorry, you can’t do it because there’s no password.
You can’t set an enable password unless you’re in enable mode, and you can’t get to enable mode without the password.
Nevertheless, the main goal of the discussion today is Login versus Login Local. The way I like to remember it is, the word Login is one word.
(Login)
The words Login Local is two words.
(Login Local)
My quick and easy way to remember it is:
- Login = You need 1 piece of ID to get in a password.
- Login Local = You need 2 pieces, both a username and a password.
On Router 1. Let’s go to Configure Terminal Mode. R1#conf ter
I want to go my line VTY 0 4 because we’re doing those first five right now.
I’ll do a no Login and no password. To verify that’s the way it’s currently setup.
I’ll type do show run.
Let’s scroll all the way down to the bottom. Guess what? There’s nothing on there. No Login. It’s all the way wide open.
Let’s say I want to put back what I just did.
I’m already in line VTY 0 4. I’m going to type Login.
It says, “Login is disabled until password’s set.” Imagine this is in real-life, because Login is similar to telling somebody; don’t let anybody in unless they know the password.
I use the example of a bouncer at a night club. If I’m the one that’s paying the bouncer and I say, don’t let anybody in unless they know the password. If I forget to tell the bouncer the password, then nobody gets in.
The device is warning us, you didn’t tell me the password, so I’m going to go ahead and ignore that command. That’s why we did the password. The password is cisco.
But that’s the single piece of ID.
We’ll next try this: Login Local and we’ll get no warning.
It accepted the command. At this point, it’s not a big deal. Why? Because I have a console connection to this device, whereas I’m manipulating the VTY which is remote access connection. If I do something foolish and lock myself out, I haven’t really locked myself out because I can still enter into the console and fix it.
Let’s see what the consequences of Login Local are.
I’ll come back to R2 and I’ll exit out of it.
I’m going to try to get back in. To show you that’s it identical, this time I will type the command, Telnet 10.1.1.1. Look what it’s going to ask me, “what’s the username?”
We didn’t even configure a username on Router 1. Let’s verify it this using the do show run command and include username. #do sh run | i user
There’s no username. Which means no matter what I type on Router 2, I will never get into Router 1 because Login Local says you need both a username and a password.
If you have not configured that, you’ve locked yourself out of remote access.
Not a big deal. I can come back in to my console connection and fix this. In fact, they are mutually exclusive. If I type Login again, the Login Local goes away because they can’t both be there.
If I want to check, I’ll come back to Router 2 and I can make it choke on me by entering bad user names and passwords.
Let’s go ahead and try to get back in again. Telnet 10.1.1.1.1
We’re checking now that my typing of Login got rid of the Login Local. Once again, it’s only asking for the password. We’re in.
The real danger as we found earlier it that you can accidentally lock yourself out on the VTY line. But that’s not the only place you want to control access to your device. As I said, I have a console connection right now, but I’m supposed to be in this device. What if somebody comes in and physically plugs a console connection to your device, and they’re not supposed to be there?
If you haven’t taken steps to prevent this, they’ll be able to promote themselves. They’ll be able to get to enable mode, if they’ve figured out what your password is.
Let’s go ahead and see if we can prevent this scenario from happening.
Let’s get back out global config. I’m going to go my line console session,
#line con 0
I get the same result.
We haven’t told it the password yet, so I’m going to ignore that.
What I’m trying to do is, now if somebody comes up and plugs a console cable in, they don’t go live until they have been challenged for and successfully answered the password prompt.
That’s what Login means. One word / one piece of ID.
But it warned me, you haven’t set the password yet. I’m going to ignore the fact that you’re asking me to ask for a password, because I don’t know what it is. Nice warning.
Now, I’m going to Login Local.
Surely, if it’s going to warn me that you haven’t told me the password when there’s only one piece of ID needed, this is even more impactful. Login Local means you need a username and a password to get to the console session.
Even though I’m the Senior Network Admin and I have a blue console cable plugged directly into the device… Absolutely, it’s going to warn me if I’m about to execute this command.
Let’s see the warning we get… No warning at all.
Which means if I exit this console connection to this device and try to get back in, and I don’t have a username, (it’s going to ask me for a username) ‑‑ if I try to get back in and there’s no username configured, guess who gets back in? Nobody, not even me.
No warning, just be aware that Login Local means you’ve got to have two pieces of ID.
Let’s go ahead and configure two pieces of ID. Let’s exit out and go to global config.
I’ll type the command, username Mark. (my name) , secret, and I always use cisco, so I don’t have to remember, secret cisco.
Now, I have a username configured on the device. Let’s check it out. I’m going to exit and I’m going to exit again.
Now, it’s just as if I just walked up and plugged in a console cable.
Look at that. If I had no username configured, I could type till my fingers fly off. I will not get back in.
I configured a username of Mark, configured a password of cisco.
I’m back into the device.
Be aware, Login vs Login Local.
Login, you need to know just the password. Login Local, you need to know both the username and a password. Make sure before you configure it, you’ve configured a username and a password.
Mark Jacob
Cisco and CompTIA Network + Instructor – Interface Technical Training
Phoenix, AZ