SecurityLine Config

login local

Configures the line to require local username/password authentication using the local database, typically applied to console, vty, or aux lines for secure access.

Syntax·Line Config

login local

When to Use This Command

Securing remote SSH/Telnet access to a router by requiring local credentials on VTY lines.
Restricting console access to authorized users with individual usernames and passwords.
Implementing basic AAA without an external server by using the local user database.
Enforcing authentication for auxiliary (AUX) modem or dial-in connections.

Command Examples

Enabling local authentication on VTY lines

Router(config)# line vty 0 4
Router(config-line)# login local

Router(config-line)#

The command is entered without any immediate output. It configures all five VTY lines (0-4) to use local authentication. Users must provide a valid username and password configured via 'username' global command.

Verifying local login configuration on console line

Router(config)# line console 0
Router(config-line)# login local
Router(config-line)# end
Router# show running-config | section line con

line con 0
 login local

The output confirms that the console line is configured with 'login local'. The 'show running-config' command displays the relevant configuration snippet.

Understanding the Output

The 'login local' command itself produces no direct output when entered. To verify its application, use 'show running-config | section line' to see the line configuration. The output will show 'login local' under the specific line (e.g., 'line vty 0 4'). If the line shows 'login' without 'local', it means password-only authentication (using the 'password' command) is in effect. A missing 'login' statement implies no authentication, which is a security risk. Always ensure 'login local' is present for secure access.

CCNA Exam Tips

CCNA exam tip: 'login local' requires a username database; without configured usernames, access is denied.

CCNA exam tip: The 'login' command alone (without 'local') uses the line password; 'login local' uses local usernames.

CCNA exam tip: For SSH, you must also configure 'transport input ssh' on the VTY lines.

CCNA exam tip: The 'username' command must be global; example: 'username admin secret cisco'.

Common Mistakes

Mistake 1: Forgetting to create local usernames before applying 'login local', locking out all users.

Mistake 2: Using 'login' instead of 'login local', relying on a shared line password instead of individual credentials.

Mistake 3: Applying 'login local' to the console line without also configuring 'exec-timeout' to auto-logout idle sessions.

Related Commands

transport input ssh

Restricts incoming Telnet or SSH connections on a VTY line to only SSH, blocking unencrypted Telnet access for secure remote management.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions