ip http authentication local
Configures the HTTP server to use local username/password authentication for web-based management access, typically used with the IOS web GUI or REST API.
ip http authentication localWhen to Use This Command
- Enable secure web management on a Cisco router or switch by requiring local credentials instead of default no authentication.
- Restrict HTTP/HTTPS access to the device to only users defined in the local database when AAA is not deployed.
- Provide authenticated access for the Embedded Event Manager (EEM) or RESTCONF API when using HTTP.
- Combine with ip http authentication aaa to fall back to local authentication if the AAA server is unreachable.
Command Examples
Basic configuration to enable local authentication for HTTP
ip http authentication localRouter(config)# ip http authentication local Router(config)#
The command is entered in global configuration mode. No output is displayed if successful. After this, the HTTP server will require a valid local username and password (configured via 'username' command) for access.
Verifying HTTP authentication setting
show ip http server statusHTTP server status: Enabled HTTP server port: 80 HTTP server authentication method: local HTTP server secure port: 443 HTTP server secure authentication method: local HTTP server active clients: 0 HTTP server maximum active clients: 5 HTTP server idle timeout: 120 HTTP server session life: 300 HTTP server connections: 0 HTTP server requests: 0
The 'HTTP server authentication method: local' line confirms that local authentication is active. The 'HTTP server secure authentication method: local' line shows the same for HTTPS if enabled. Other fields show server status, port numbers, and client statistics.
Understanding the Output
The command itself produces no output on success. To verify, use 'show ip http server status'. The key field is 'HTTP server authentication method' which should display 'local'. If it shows 'none', authentication is disabled, which is a security risk. The 'HTTP server secure authentication method' field applies to HTTPS. Ensure both are set to 'local' or 'aaa' for secure access. Also check that local usernames are configured with 'username name secret password' or 'username name password password'.
CCNA Exam Tips
CCNA exam tip: The command 'ip http authentication local' must be paired with at least one local username configured via 'username' command; otherwise, no one can log in.
CCNA exam tip: If you see 'ip http authentication aaa' in a scenario, remember that AAA must be configured (e.g., TACACS+ or RADIUS) or fallback to local is needed.
CCNA exam tip: The exam may test that 'ip http server' must be enabled separately with 'ip http server' or 'ip http secure-server' for HTTPS.
CCNA exam tip: Be aware that 'ip http authentication' applies to both HTTP and HTTPS; there is no separate command for HTTPS authentication.
Common Mistakes
Mistake 1: Forgetting to configure local usernames after setting authentication to local, resulting in lockout from web management.
Mistake 2: Enabling HTTP server without authentication (default is 'none'), leaving the device vulnerable to unauthorized access.
Mistake 3: Confusing 'ip http authentication local' with 'ip http authentication aaa' — the latter requires an external AAA server.
Related Commands
ip http secure-server
Enables the HTTPS server on a Cisco IOS device to allow secure web-based management and API access using SSL/TLS.
ip http server
Enables the HTTP server on a Cisco IOS device, allowing web-based management and access to the device's web interface for configuration and monitoring.
show ip http server status
Displays the operational status and configuration of the HTTP server (web server) on the Cisco IOS device, used to verify if the web-based GUI or REST API is enabled and accessible.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions