How to Configure Users on Cisco Devices
Introduction
Configuring user accounts on Cisco devices is a fundamental skill for network administrators. Proper user management ensures that only authorized personnel can access and modify network infrastructure, and that each user has only the access level they need.
Cisco IOS provides a flexible local user database, multiple password encryption types, and a 16-level privilege system that allows fine-grained control over what commands each user can execute. This article covers everything from basic user creation to advanced privilege assignment and password security.
Prerequisites
- Console or SSH access to a Cisco IOS device
- Privileged EXEC mode access (
enable) - Basic understanding of Cisco IOS CLI
- Cisco IOS 12.2 or later (commands may vary slightly on older versions)
Understanding Cisco Privilege Levels
Cisco IOS supports 16 privilege levels, numbered 0 through 15. Each level defines a set of commands the user is permitted to execute. Understanding these levels is essential before creating users.
| Privilege Level | Name | Default Access | Typical Use |
|---|---|---|---|
| 0 | Minimum | disable, enable, exit, help, logout | Minimal access only |
| 1 | User EXEC | Basic show commands, ping, traceroute | Read-only monitoring |
| 2–14 | Custom | Configurable by administrator | Tiered admin roles |
| 15 | Privileged EXEC | All commands including global config | Full administrator access |
By default, users log into privilege level 1 (User EXEC). To enter global configuration mode, a user must reach privilege level 15.
Understanding Cisco Password Types
Cisco IOS stores passwords using different encryption or hashing methods, identified by a type number in the running configuration. Knowing the difference is critical for security hardening.
| Type | Algorithm | Reversible | Security Level | Recommendation |
|---|---|---|---|---|
| Type 0 | Plaintext | Yes | None | Avoid |
| Type 7 | Vigenère cipher | Yes | Weak | Not recommended |
| Type 5 | MD5 | No | Moderate | Acceptable |
| Type 8 | PBKDF2-SHA-256 | No | Strong | Recommended |
| Type 9 | scrypt | No | Very Strong | Best practice |
Type 7 passwords can be decoded instantly using freely available online tools. Never rely on Type 7 for securing privileged access.
Enable Secret vs Enable Password
Cisco provides two commands for protecting privileged EXEC mode: enable password and enable secret. It is important to understand the difference before configuring user access.
The enable secret command stores the password as an MD5 hash (Type 5) by default. On newer IOS versions you can specify Type 8 or Type 9 for stronger hashing. If both enable secret and enable password are configured, enable secret always takes precedence.
Router(config)# enable secret StrongP@ssw0rd Router(config)# enable secret 9 $9$hashed_value_here
The enable password command stores the password in plaintext (Type 0) unless service password-encryption is enabled, which applies weak Type 7 encryption. This command is considered legacy and should be avoided in favor of enable secret.
Router(config)# enable password OldStylePass
Quick comparison between the two commands:
| Feature | enable secret | enable password |
|---|---|---|
| Default Encryption | MD5 (Type 5) | Plaintext (Type 0) |
| Priority (if both set) | Higher (overrides) | Lower (ignored) |
| Recommended | Yes | No |
Always use enable secret instead of enable password. For maximum security, use enable algorithm-type sha256 secret (Type 8) or enable algorithm-type scrypt secret (Type 9) on supported IOS versions.
Creating Local User Accounts
Local user accounts are stored directly on the device. They are used for console, VTY (Telnet/SSH), and auxiliary line authentication. Use the username command in global configuration mode to create users.
Basic Syntax
Router(config)# username <name> privilege <level> secret <password>
Always use secret (not password) when creating user accounts to ensure the password is hashed rather than stored in plaintext or with weak Type 7 encryption.
! Create a full admin user (privilege 15) Router(config)# username admin privilege 15 secret AdminP@ss123 ! Create a read-only monitor user (privilege 1) Router(config)# username monitor privilege 1 secret ViewOnly@99 ! Create a mid-level operator (privilege 7) Router(config)# username operator privilege 7 secret Oper@t0r55
On newer Cisco IOS versions (15.3+), you can specify the hashing algorithm explicitly: username admin privilege 15 algorithm-type sha256 secret MyPass for Type 8, or algorithm-type scrypt for Type 9.
Example: Configuring User "switchfirewall" with Secret Type 8 and Type 9
The following examples demonstrate how to create the user switchfirewall at privilege level 15 using both Type 8 (PBKDF2-SHA-256) and Type 9 (scrypt) password hashing. Both are strong, one-way hashing algorithms — the password you enter is never stored in plaintext.
Type 8 uses PBKDF2 with SHA-256. You enter the plain-text password and IOS hashes it automatically. The stored hash in the running config will begin with $8$.
! Enter global configuration mode Switch# configure terminal ! Create user 'switchfirewall' with privilege 15 using Type 8 (PBKDF2-SHA-256) Switch(config)# username switchfirewall privilege 15 algorithm-type sha256 secret Sw!tchF1r3w@ll ! Save the configuration Switch(config)# end Switch# write memory
What you will see in show running-config after the above command:
username switchfirewall privilege 15 secret 8 $8$dsYGNam3ARgDI2$X9R/ckCoDe/HNx5m5WnOrXfCmO7OhqjxQlxIrMRmXbA
The $8$ prefix in the stored hash confirms Type 8 encryption is in use. The actual hash value will differ on your device as it is salted per device.
Type 9 uses scrypt, a memory-hard hashing algorithm that is significantly more resistant to GPU-based brute-force attacks than MD5 or SHA-256. The stored hash in the running config will begin with $9$. This is the recommended best practice on all modern Cisco IOS/IOS-XE devices.
! Enter global configuration mode Switch# configure terminal ! Create user 'switchfirewall' with privilege 15 using Type 9 (scrypt) Switch(config)# username switchfirewall privilege 15 algorithm-type scrypt secret Sw!tchF1r3w@ll ! Save the configuration Switch(config)# end Switch# write memory
What you will see in show running-config after the above command:
username switchfirewall privilege 15 secret 9 $9$nhEmQVczB7dqsO$X/iysHS5jxkRIBTVsl4s3JNBAI4axX5tP.VStJYe/s.
The $9$ prefix confirms Type 9 (scrypt) is in use. Type 9 is the strongest available password hashing option on Cisco IOS and IOS-XE as of 15.3(3) and later.
After creating the user, verify the configuration using the following commands:
! Check the username entry and confirm the secret type (8 or 9) Switch# show running-config | include username switchfirewall ! Verify the user can authenticate — test by opening a new SSH session ! or switching to the user context: Switch# show users ! Confirm current privilege level after login Switch> show privilege
Expected output snippet from show running-config | include username switchfirewall:
username switchfirewall privilege 15 secret 9 $9$nhEmQVczB7dqsO$X/iysHS5jxkRIBTVsl4s3JNBAI4axX5tP.VStJYe/s.
If your Cisco IOS version does not support algorithm-type sha256 or algorithm-type scrypt, the command will be rejected. In that case, use username switchfirewall privilege 15 secret Sw!tchF1r3w@ll which defaults to Type 5 (MD5). Upgrade IOS if possible to gain Type 8/9 support.
Never use username switchfirewall password Sw!tchF1r3w@ll — the password keyword stores credentials as plaintext (Type 0) or weak Type 7. Always use secret or algorithm-type ... secret.
Configuring Line Authentication to Use Local Users
After creating local users, you must configure the device lines (console, VTY, AUX) to use the local user database for authentication. Without this step, the device will not prompt for username/password on those lines.
Configure the console line to require local username/password login:
Router(config)# line console 0 Router(config-line)# login local Router(config-line)# logging synchronous Router(config-line)# exec-timeout 5 0 Router(config-line)# exit
Configure VTY lines (used for Telnet and SSH access). It is strongly recommended to restrict VTY lines to SSH only:
Router(config)# line vty 0 4 Router(config-line)# login local Router(config-line)# transport input ssh Router(config-line)# exec-timeout 5 0 Router(config-line)# exit
Configure the auxiliary line (physical AUX port on routers) with local authentication:
Router(config)# line aux 0 Router(config-line)# login local Router(config-line)# exec-timeout 5 0 Router(config-line)# exit
Using login (without local) only requires a line password, not a username. Always use login local to enforce username-based authentication from the local database.
Assigning Custom Privilege Levels to Commands
You can assign specific commands to custom privilege levels (2–14) to create tailored roles. This allows you to give certain users access to specific commands without granting full privilege 15 access.
! Allow privilege 5 users to run 'show running-config' Router(config)# privilege exec level 5 show running-config ! Allow privilege 7 users to run interface configuration commands Router(config)# privilege exec level 7 configure terminal Router(config)# privilege configure level 7 interface Router(config)# privilege interface level 7 ip address ! Set the enable secret for privilege level 5 Router(config)# enable secret level 5 Level5P@ss ! Create a user at privilege level 5 Router(config)# username netops privilege 5 secret NetOps@2024
When a user at a lower privilege level needs to access a higher privilege level, they use the enable <level> command and authenticate with the corresponding enable secret for that level.
Enabling Service Password Encryption
The service password-encryption command applies Type 7 (Vigenère) encryption to all plaintext passwords in the configuration, including line passwords and VTY passwords. While this is not strong encryption, it prevents casual shoulder-surfing of the configuration.
Router(config)# service password-encryption
service password-encryption only applies weak Type 7 obfuscation. It does NOT secure passwords configured with secret (those are already MD5 or stronger). Do not rely on it as your primary security measure — it is a supplement, not a substitute for proper password practices.
Setting Password Policies
Cisco IOS allows you to enforce minimum password length and security requirements on the local user database to prevent weak passwords from being configured.
! Enforce a minimum password length of 10 characters for all local users Router(config)# security passwords min-length 10 ! Set an authentication failure rate limit (lockout after 3 failures within 60 seconds for 120 seconds) Router(config)# login block-for 120 attempts 3 within 60 ! Log authentication failures Router(config)# login on-failure log ! Log successful logins Router(config)# login on-success log
Enabling login block-for is a highly effective defense against brute-force attacks on VTY and console lines. Always combine it with logging for visibility.
Verifying User Configuration
After configuring users, use the following commands to verify the configuration is correct and active.
! View all configured local usernames and privilege levels Router# show running-config | section username ! View active sessions and currently logged-in users Router# show users ! Check line configuration Router# show line ! View current privilege level of the logged-in session Router# show privilege
The output of show running-config | section username will display the password hash type number (e.g., username admin privilege 15 secret 9 $9$...). Verify that Type 5, 8, or 9 is shown — never Type 0 or 7 for user secrets.
Removing and Modifying Users
User accounts can be deleted or updated at any time from global configuration mode.
! Delete a user account Router(config)# no username monitor ! Change a user's password (re-enter the full username command) Router(config)# username admin privilege 15 secret NewSecureP@ss! ! Change a user's privilege level Router(config)# username operator privilege 10 secret Oper@t0r55
Never delete all admin users or change the last privilege 15 account while only connected via VTY. You may permanently lock yourself out. Always have console access available when making changes to privileged accounts.
Complete Configuration Example
The following is a complete, hardened example that implements best-practice user configuration on a Cisco router or switch.
! ============================================================ ! Cisco Device - Hardened Local User Configuration Example ! ============================================================ ! Step 1: Set hostname Router(config)# hostname CORE-RTR-01 ! Step 2: Enable password hashing for any legacy plaintext passwords CORE-RTR-01(config)# service password-encryption ! Step 3: Set enable secret (Type 9 - scrypt, strongest) CORE-RTR-01(config)# enable algorithm-type scrypt secret Enab!eS3cur3 ! Step 4: Enforce minimum password length CORE-RTR-01(config)# security passwords min-length 10 ! Step 5: Enable brute-force protection CORE-RTR-01(config)# login block-for 120 attempts 3 within 60 CORE-RTR-01(config)# login on-failure log CORE-RTR-01(config)# login on-success log ! Step 6: Create users with appropriate privilege levels CORE-RTR-01(config)# username admin privilege 15 algorithm-type scrypt secret AdminP@ss2024 CORE-RTR-01(config)# username netops privilege 7 algorithm-type scrypt secret NetOps@2024 CORE-RTR-01(config)# username monitor privilege 1 algorithm-type scrypt secret ViewOnly@99 ! Step 7: Configure console line CORE-RTR-01(config)# line console 0 CORE-RTR-01(config-line)# login local CORE-RTR-01(config-line)# logging synchronous CORE-RTR-01(config-line)# exec-timeout 5 0 CORE-RTR-01(config-line)# exit ! Step 8: Configure VTY lines (SSH only) CORE-RTR-01(config)# line vty 0 4 CORE-RTR-01(config-line)# login local CORE-RTR-01(config-line)# transport input ssh CORE-RTR-01(config-line)# exec-timeout 5 0 CORE-RTR-01(config-line)# exit ! Step 9: Enable SSH (requires domain name and crypto key) CORE-RTR-01(config)# ip domain-name example.com CORE-RTR-01(config)# crypto key generate rsa modulus 2048 CORE-RTR-01(config)# ip ssh version 2 ! Step 10: Save configuration CORE-RTR-01# write memory
Conclusion
Configuring users correctly on Cisco devices is a critical part of network security. By using enable secret with strong hashing algorithms, assigning appropriate privilege levels, enforcing password policies, and restricting line access to SSH with local authentication, you can significantly reduce the risk of unauthorized access.
As a best practice, periodically audit your user database using show running-config | section username, remove any unused accounts, and ensure all passwords are stored using Type 8 or Type 9 algorithms.
For enterprise environments managing many devices, consider integrating Cisco devices with a centralized AAA server (TACACS+ or RADIUS) using Cisco ISE or ACS for scalable, auditable user management.