Login Authentication Methods

1. What Is Login Authentication?

Login authentication is the process of verifying a user's (or device's) identity before granting access to a network device such as a router or switch. Typically this means entering a username and password, but advanced setups may require additional factors such as OTPs or hardware tokens.

Authentication vs Authorization vs Accounting (AAA):

  • Authentication: Who are you? — Verifies identity via credentials.
  • Authorization: What can you do? — Determines permitted commands and resources after login.
  • Accounting: What did you do? — Logs commands, session duration, and changes for auditing. See show logging and Syslog.
Purpose: Prevents unauthorized access, protects device configurations, enables user accountability, and helps meet security compliance and audit requirements.

Related pages: AAA Local vs RADIUS | SSH Explained | Telnet vs SSH | SSH & Telnet Security | AAA RADIUS Configuration | AAA TACACS+ Configuration | SSH Configuration (Step-by-Step)

2. Why Is Authentication Critical for Network Devices?

  • Prevents unauthorized configuration changes that could cause outages or security breaches.
  • Protects sensitive network infrastructure from internal and external attacks.
  • Provides individual accountability — logs show exactly who made which change and when. See Syslog and Syslog Configuration.
  • Helps meet regulatory compliance (PCI-DSS, HIPAA, SOC 2, ISO 27001).
  • Enables privilege separation — different users get only the access they need.

3. Common Authentication Entry Points

  • Console Access: Physical RJ-45/USB port on the device. Used for out-of-band (direct) management. Secure with at least local authentication — leaving console open with no password is a critical vulnerability. See Console & VTY Line Configuration.
  • VTY Lines (Telnet/SSH): Remote command-line access over the network. Always use SSH (never Telnet in production) — SSH encrypts all session traffic including credentials. See SSH & Telnet Security.
  • HTTP/HTTPS Access: Web-based device management (Cisco SDM, ASDM). Use HTTPS only; disable HTTP with no ip http server.
  • AUX Port: For dial-in modem access. Rare in modern networks but still present on many devices — secure or disable if not in use.
Exam Tip: Every access method (console, VTY, HTTP, AUX) is a potential attack vector. The CCNA exam frequently presents scenarios where one of these is left unsecured and asks you to identify the vulnerability.

4. Local Authentication

With local authentication, credentials (usernames and passwords) are stored directly in the device's running configuration. No external server is required. 

Router(config)# username admin secret Secur3P@ss
Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# transport input ssh
  • The local database is queried for every login — both username and password are required.
  • Assign privilege levels (0–15) per user to control access scope.
  • Simple to configure; no external dependency.
  • Works even when the network is down — critical for emergency access.
Best practices:
  • Always use secret (MD5/scrypt hashed) instead of password (plain text Type 7 — easily reversed).
  • Configure enable secret for privileged EXEC mode access.
  • Always maintain at least one local admin account even when using AAA — it is your emergency fallback.
Limitation: Local authentication does not scale. In a network with 50 routers, a password change requires updating every device manually. For large networks, centralized AAA (RADIUS/TACACS+) is essential. See AAA Local vs RADIUS for a full comparison.

5. Remote Authentication Protocols — RADIUS and TACACS+

For scalable, centralized authentication across many devices, Cisco IOS supports AAA via two main protocols: RADIUS and TACACS+. Both allow a central server to authenticate all device logins across your entire infrastructure.

Protocol Purpose Transport Encryption Common Use
RADIUS Centralized user/device auth UDP (1812/1813) Encrypts passwords only Wi-Fi 802.1X, VPN, user network access. See 802.1X Port Authentication.
TACACS+ Centralized device administration TCP (port 49) Encrypts entire payload Device CLI/admin logins, command authorization

See detailed step-by-step configurations: AAA RADIUS Configuration | AAA TACACS+ Configuration

6. RADIUS vs. TACACS+ — Deep Dive Comparison

RADIUS and TACACS+ are both AAA protocols but serve different primary purposes. This is a high-frequency CCNA exam topic — know the differences cold.

Attribute RADIUS TACACS+
Developed by Livingston Enterprises (now IETF open standard) Cisco (proprietary)
Transport Protocol UDP — ports 1812 (auth) / 1813 (accounting) TCP — port 49
Encryption Encrypts password field only Encrypts entire packet payload
AAA Separation Combines authentication + authorization in one response Fully separates auth, authZ, and accounting
Command Authorization Not supported ✅ Fully supported — per-command, per-user control
Reliability UDP — no guaranteed delivery; app handles retries TCP — reliable delivery, connection-state aware
Best For Network user access (Wi-Fi, VPN, 802.1X) Device administration (router/switch CLI logins)
Example Servers Cisco ISE, FreeRADIUS, Microsoft NPS, Aruba ClearPass Cisco ISE, Cisco ACS (legacy), tac_plus daemon
Rule of thumb: Use RADIUS for authenticating end users (Wi-Fi, VPN, 802.1X port access). Use TACACS+ for controlling administrator access to network device CLIs — especially when you need per-command authorization to enforce least privilege. See AAA Local vs RADIUS for further comparison.

7. Login Authentication Commands in Cisco IOS

  • login — Uses the single password set under the line itself (no username required; least secure).
  • login local — Prompts for username and password from the local device database (recommended for local-only auth).
  • login authentication <method-list> — Uses a named AAA method list; required when using RADIUS or TACACS+.
! Local-only authentication on VTY lines
line vty 0 4
 login local                        ! Requires username + password
 transport input ssh                ! SSH only — no Telnet
!
! AAA-based authentication (RADIUS fallback to local)
aaa new-model
aaa authentication login default group radius local
line vty 0 4
 login authentication default
Critical difference: login uses only a line password (no username). login local requires both username and password from the local database. For individual accountability and audit trails, always use login local or AAA — never plain login in production. See Console & VTY Line Configuration for the full VTY hardening lab.

8. Using AAA and Method Lists

aaa new-model enables the AAA framework on Cisco IOS. Once enabled, all line authentication is governed by AAA method lists rather than the legacy login command.

  • Define method lists: aaa authentication login <name> group tacacs+ local
  • Apply to a line: login authentication <name> under line config
  • Method order matters: The device tries each method in sequence, moving to the next only if the current method returns ERROR (server unreachable) — never on REJECT (wrong password).
  • Always include local as the final fallback to prevent total lockout if AAA servers go down.
Router(config)# aaa new-model
Router(config)# aaa authentication login AdminList group tacacs+ local
Router(config)# line vty 0 4
Router(config-line)# login authentication AdminList
Critical exam point: If the TACACS+ server is unreachable, IOS falls back to the local database. If TACACS+ is reachable but rejects the login, no fallback occurs — the user is denied immediately. This distinction is one of the most tested AAA behaviors on the CCNA exam. See AAA TACACS+ Configuration and AAA RADIUS Configuration.

9. How the AAA Authentication Process Works — Step by Step

Understanding the exact flow helps with both exam questions and real-world troubleshooting.

  1. User initiates connection: A network admin SSHs into a router or connects via console. The IOS line (VTY, console, AUX) is triggered.
  2. Method list is checked: IOS looks up which AAA method list is applied to that line. If none is applied, it falls back to the line's login command behavior.
  3. First method is tried: IOS attempts the first method (e.g., group tacacs+). It sends an authentication request to the configured server.
  4. Server responds — three possible outcomes:
    • ACCEPT: Credentials are valid. User is granted access at the configured privilege level.
    • REJECT: Credentials are wrong. Authentication fails immediately — no fallback.
    • ERROR (no response): Server is unreachable or timed out. IOS moves to the next method (e.g., local).
  5. Fallback method (if applicable): If ERROR was returned, the local database is tried next. If credentials match, access is granted.
  6. Final failure: If all methods fail or return REJECT, the session is terminated. Failed login events are logged to syslog when login on-failure log is configured.

AAA Authentication Flow Diagram

User connects via SSH / Console
         │
         ▼
  Check method list applied to line
         │
         ▼
  Try Method 1: group tacacs+
         │
    ┌────┴──────────────────────────┐
    │                               │
  REJECT                        ERROR (unreachable)
    │                               │
  ❌ Deny access               Try Method 2: local
                                    │
                               ┌────┴────────┐
                               │             │
                            ACCEPT         REJECT / No more methods
                               │             │
                           ✅ Grant       ❌ Deny access
                              access

10. Password Authentication Protocols — PAP, CHAP, MS-CHAP

These protocols apply to PPP links (serial, DSL, dial-up) rather than modern SSH logins, but they remain CCNA exam topics. See also: PPPoE Client Configuration

Protocol Handshake Security Common Use
PAP 2-way, plain text Insecure — sends password in clear text Legacy PPP, dial-up links
CHAP 3-way, challenge/response More secure — password never sent in clear text PPP links, VPNs
MS-CHAP (v2) 3-way, mutual authentication Improved security — used in Windows/VPN environments Windows VPN, RAS

11. Multi-Factor Authentication (2FA/MFA)

  • Adds a second factor (OTP token, push notification, smartcard) on top of username/password logins.
  • Usually implemented via RADIUS or TACACS+ integration with an external MFA server such as Cisco Duo, RSA SecurID, or Microsoft Authenticator.
  • Significantly enhances security: even if a password is compromised, an attacker cannot log in without the second factor.
  • Implementation typically requires appending the OTP code to the password field or responding to a secondary challenge prompt.
Best Practice: MFA is strongly recommended for all privileged access (level 15) accounts, especially for VPN and remote management. Cisco ISE integrates natively with Cisco Duo for push-based MFA on network device logins. For wireless 802.1X MFA see 802.1X Port Authentication.

12. Privilege Levels and Role-Based Access Control

Cisco IOS supports 16 privilege levels (0–15) to enforce role-based access control (RBAC) — controlling exactly which commands each user can execute after authentication.

Privilege Level Default Access Typical Use
Level 0 Only: disable, enable, exit, help, logout Minimal / restricted access
Level 1 User EXEC mode — limited show commands, ping, traceroute Read-only helpdesk staff
Levels 2–14 Custom — you define which commands are available at each level Network operators, NOC teams with specific permissions
Level 15 Full privileged EXEC — all commands including configure terminal Senior network engineers, administrators

Configuring Custom Privilege Levels

! Create users at different privilege levels
Router(config)# username readonly privilege 1 secret ViewOnly1!
Router(config)# username netops   privilege 5 secret NetOps5!
Router(config)# username admin    privilege 15 secret Admin15!

! Assign specific commands to privilege level 5
Router(config)# privilege exec level 5 show running-config
Router(config)# privilege exec level 5 show ip interface brief
Router(config)# privilege exec level 5 ping

! Set enable password for privilege level 5
Router(config)# enable secret level 5 LevelFive!

Privilege Levels via TACACS+ (Preferred)

! Router config — enable AAA and authorization
Router(config)# aaa new-model
Router(config)# aaa authentication login default group tacacs+ local
Router(config)# aaa authorization exec default group tacacs+ local
Router(config)# aaa authorization commands 15 default group tacacs+ local

! TACACS+ server assigns privilege level per user:
! "readonly"  → privilege 1
! "netops"    → privilege 5
! "admin"     → privilege 15
Best Practice: Avoid assigning everyone privilege 15. Enforce least-privilege tiers — helpdesk at level 1, NOC at a mid-level, senior admins at level 15. Use aaa authorization commands with TACACS+ for granular per-command control at scale. See AAA TACACS+ Configuration.

13. SSH Configuration — Secure Remote Login from Scratch

Telnet transmits all data including usernames and passwords in plain text and must never be used in production. The following is a complete SSH setup with best-practice hardening. See also: SSH Configuration (Step-by-Step) | SSH Explained | SSH & Telnet Security

Step-by-Step: Enable SSH on a Cisco Router or Switch

  1. Set hostname and domain name (required for RSA key generation): 
    Router(config)# hostname R1
R1(config)# ip domain-name netstuts.com
  2. Generate RSA key pair (minimum 2048 bits required for SSH v2): 
    R1(config)# crypto key generate rsa modulus 2048
  3. Force SSH version 2 only (SSH v1 has known vulnerabilities): 
    R1(config)# ip ssh version 2
  4. Create a local user account: 
    R1(config)# username admin privilege 15 secret StrongPass1!
  5. Configure VTY lines — SSH only, no Telnet: 
    R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exec-timeout 10 0
  6. Optional hardening — limit retries and timeout: 
    R1(config)# ip ssh authentication-retries 3
R1(config)# ip ssh time-out 60

Telnet vs SSH Comparison

Feature Telnet SSH v1 SSH v2
Encryption ❌ None — plain text ⚠️ Weak — known vulnerabilities ✅ Strong AES encryption
Authentication Password only (clear text) Password or key-based Password, key-based, or certificate
MITM Risk High Medium Low (host key verification)
Port TCP 23 TCP 22 TCP 22
Use in production ❌ Never ❌ Avoid ✅ Always

14. Brute-Force Protection — login block-for

The login block-for command creates an automatic lockout policy that blocks all login attempts for a defined period after a threshold of failed attempts is reached. This is a critical security hardening step. See also: Login Security & Brute-Force Protection. 

! Block all logins for 120 sec if 5 failures occur within 60 sec
Router(config)# login block-for 120 attempts 5 within 60

! Allow management station to bypass the block
Router(config)# ip access-list standard MGMT-HOSTS
Router(config-std-nacl)# permit 10.10.10.0 0.0.0.255
Router(config)# login quiet-mode access-class MGMT-HOSTS in

! Add a delay between login attempts (slows brute force)
Router(config)# login delay 3

! Log all login events to syslog
Router(config)# login on-failure log
Router(config)# login on-success log

Verify Login Security Settings

Router# show login
     A login delay of 3 seconds is applied.
     Blocking Period when Login Attack detected is 120 secs.
     Router is in Quiet-Mode for 108 more seconds.
     Quiet-Mode Access list: MGMT-HOSTS

Router# show login failures
Command Purpose
login block-for <sec> attempts <n> within <sec> Activates lockout after n failed attempts in the specified window
login delay <sec> Inserts a delay between login attempts — slows brute-force attacks
login quiet-mode access-class <acl> Allows trusted management hosts to bypass quiet mode. See ACL Overview and Standard ACLs.
login on-failure log Logs all failed login attempts to syslog
login on-success log Logs all successful logins to syslog
show login Shows current login security status and quiet-mode state
show login failures Displays recent failed login attempts with source IP addresses

15. Secure Login Best Practices

  • Always use SSH v2 (never Telnet) for remote CLI access — SSH encrypts all session traffic. See SSH & Telnet Security.
  • Use enable secret (not enable password) for privileged EXEC mode access; use Type 9 (scrypt) where supported for maximum security.
  • Use service password-encryption to obfuscate Type 7 passwords in the config — but understand this is reversible encoding, not true encryption.
  • Use HTTPS (not HTTP) for web interfaces: no ip http server + ip http secure-server.
  • Implement role-based access — assign privilege levels or use TACACS+ command authorization to enforce least privilege.
  • Apply login block-for and login delay to mitigate brute-force attacks. See Login Security & Brute-Force Protection.
  • Configure exec-timeout on all lines — idle sessions are a security risk.
  • Apply an ACL to VTY lines (access-class) to restrict management access to known management subnets only. See Standard ACLs.
  • Monitor syslog for failed and successful login events — integrate with a SIEM for alerting. See show logging and Syslog Configuration.
  • Maintain at least one local emergency admin account. Test it periodically.

See also: Login Security & Brute-Force Protection | Console & VTY Line Configuration

16. Troubleshooting Login Authentication

Problem Possible Cause Solution
Login fails immediately Wrong credentials, or TACACS+ server reachable but rejected login Verify username/password; check server policy; remember — REJECT has no fallback
Lockout — no access at all No fallback local user configured, or misconfigured method list Always configure a local admin before enabling AAA; use console for recovery. See Console & VTY Line Configuration.
Login delay / quiet mode active Too many failed attempts triggered login block-for Wait for timer to expire, or use management ACL bypass host. See Login Security & Brute-Force Protection.
Plain-text passwords visible in config Used password instead of secret Replace with secret; add service password-encryption. Verify with show running-config | section username.
VTY connection refused transport input telnet only; or ACL blocking source IP Check transport input ssh; verify VTY access-class ACL. See SSH Configuration.
AAA server unreachable — no fallback Local not listed in method list Always append local as last method: group tacacs+ local

Authentication Verification Commands — Quick Reference

Command What It Shows When to Use
show running-config | section aaa All AAA configuration including method lists and server groups Verify AAA is configured correctly
show running-config | section line Line configs including login method and transport settings Confirm correct method list is applied to VTY/console
show aaa servers RADIUS/TACACS+ server status, reachability, and request counts Check if AAA servers are reachable and responding
show tacacs TACACS+ server IP, port, connection state, and statistics Diagnose TACACS+ connectivity issues
show users Currently logged-in users, their lines, and idle times See who is connected to the device right now
show ip ssh SSH version, timeout, and retry settings Confirm SSH v2 is enabled and configured correctly
debug aaa authentication Real-time AAA authentication decision flow Deep troubleshooting — use carefully in production
debug tacacs TACACS+ packet exchange in real time Diagnose TACACS+ request/response failures
Debug warning: debug commands can generate high CPU load on production devices. Always run undebug all immediately after diagnosing, and use terminal monitor to redirect output to your SSH session rather than the console.

17. Complete Real-World Configuration: Hardened Device Access

The following production-grade configuration combines all authentication best practices for a Cisco router in an enterprise environment. Use this as a reference checklist. After applying, save with copy run start.

Scenario: Enterprise router with TACACS+ primary authentication, local fallback, SSH-only remote access, brute-force protection, role-based access, and full accounting. 
! ── Hostname & Domain ─────────────────────────────────────────────
hostname CORP-RTR-01
ip domain-name corp.netstuts.com

! ── SSH Hardening ─────────────────────────────────────────────────
crypto key generate rsa modulus 2048
ip ssh version 2
ip ssh authentication-retries 3
ip ssh time-out 60

! ── Local Fallback Accounts ───────────────────────────────────────
username emergency privilege 15 secret EmergOnly!BreakGlass
username netops    privilege 5  secret NetOps5!

! ── Service Hardening ─────────────────────────────────────────────
service password-encryption          ! Obfuscate type-7 passwords in config
no ip http server                    ! Disable HTTP web interface
ip http secure-server                ! Enable HTTPS only
enable secret type 9 $9$StrongHash! ! Type 9 scrypt (strongest)

! ── AAA Framework ─────────────────────────────────────────────────
aaa new-model

tacacs server CORP-TACS
 address ipv4 10.1.1.100
 key SecretTacacsKey1!
 timeout 5

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

! ── Brute-Force Protection ────────────────────────────────────────
login block-for 120 attempts 5 within 60
login delay 3
login on-failure log
login on-success log

ip access-list standard MGMT-HOSTS
 permit 10.10.10.0 0.0.0.255
login quiet-mode access-class MGMT-HOSTS in

! ── Console Line ──────────────────────────────────────────────────
line console 0
 login authentication default
 exec-timeout 5 0
 logging synchronous

! ── VTY Lines (SSH only, management subnet only) ──────────────────
line vty 0 4
 login authentication default
 transport input ssh
 exec-timeout 10 0
 access-class MGMT-HOSTS in

! ── Disable Unnecessary Services ─────────────────────────────────
no ip finger
no service tcp-small-servers
no service udp-small-servers
Safety rule — before applying AAA changes in production: Always keep a second active session open to the device while testing the new configuration. If the new config breaks authentication, fix it from the open session. Never change authentication on your only active session without a tested fallback. Verify the final configuration with show running-config | section aaa before saving with copy run start.

18. Common Misconceptions About Login Authentication

  • "login and login local are the same thing."
    login uses a single password set under the line itself — no username required. login local requires both username and password from the device's local database. login local provides individual accountability; plain login does not. See Console & VTY Line Configuration.
  • "If TACACS+ rejects my credentials, the device tries the local database."
    A REJECT from a reachable server is final — no fallback occurs. The local database is only tried if the server returns ERROR (unreachable/timeout). This is the most frequently misunderstood AAA behavior and a common exam trap.
  • "service password-encryption makes passwords secure."
    This command applies Type 7 encoding — a reversible cipher decodable in seconds with free tools. It only prevents shoulder-surfing. Always use secret (Type 5 MD5 or Type 9 scrypt) for actual password security.
  • "Enabling aaa new-model is harmless."
    Entering aaa new-model immediately changes authentication behavior. If no method list is defined, the console may lock you out. Always define a fallback local account and test your configuration before enabling AAA in production.
  • "SSH v1 and SSH v2 are basically the same."
    SSH v1 has well-documented cryptographic weaknesses and must never be used. Always configure ip ssh version 2 to enforce SSHv2 only and prevent clients from downgrading. See SSH & Telnet Security.

19. Key Points & Exam Tips

  • Authentication = login (who you are). Authorization = what you can do. Accounting = what you did. See AAA Local vs RADIUS.
  • Console, VTY, HTTP, and AUX are all entry points — secure every one of them. See Console & VTY Line Configuration.
  • Use login local for simple setups; use AAA (RADIUS/TACACS+) for scalable, centralized management across many devices.
  • RADIUS (UDP, ports 1812/1813) — best for user network access (Wi-Fi, VPN). TACACS+ (TCP, port 49) — best for device admin with per-command authorization.
  • AAA fallback only occurs on ERROR (server unreachable), never on REJECT (wrong password). This is one of the most tested CCNA distinctions.
  • Always use SSH v2; disable Telnet with transport input ssh. See SSH & Telnet Security.
  • Use secret (not password) for all local accounts and enable passwords.
  • Apply login block-for and exec-timeout on all production devices.
  • Always append local as the final method in AAA lists to prevent total lockout.
  • Apply a VTY ACL (access-class) to restrict remote management to authorised management subnets. See Standard ACLs.
  • Test authentication changes from a second open session before committing to production. Use debug aaa authentication for real-time troubleshooting.
  • Forward login events to a syslog server for persistent audit trails. See Syslog Configuration.

Related step-by-step labs: AAA RADIUS Configuration | AAA TACACS+ Configuration | SSH Configuration | Console & VTY Line Configuration | Login Security & Brute-Force Protection | Hostname, Banner & Password Configuration | 802.1X Port Authentication

20. Login Authentication Methods Quiz

1. A network engineer configures aaa new-model and applies a TACACS+ method list to the VTY lines without first creating a local user. What is the most likely result?

Correct answer is C. Enabling aaa new-model immediately changes authentication behavior. Without a local fallback account and with the TACACS+ server unreachable, there is no valid authentication method — administrators would be locked out. Always create a local emergency account before enabling AAA. See AAA TACACS+ Configuration.

2. A router is configured with aaa authentication login default group tacacs+ local. An admin enters the correct password but the TACACS+ server actively rejects the login. What happens next?

Correct answer is A. A REJECT from a reachable AAA server is final. Fallback to the next method (local) only occurs on ERROR — when the server is unreachable or does not respond. This distinction is one of the most tested behaviors on the CCNA exam. Use debug aaa authentication to observe the decision flow in real time.

3. Which Cisco IOS command correctly creates a local user whose password is stored as a cryptographic hash rather than reversible encoding?

Correct answer is D. The secret keyword stores the password using a one-way hash (MD5 Type 5 or scrypt Type 9), which cannot be reversed. The password keyword stores a reversible Type 7 encoding that can be decoded in seconds using freely available tools. Verify stored password types with show running-config | section username.

4. What is the primary advantage of TACACS+ over RADIUS for managing network device administrator access?

Correct answer is B. TACACS+ fully separates authentication, authorization, and accounting — and uniquely supports per-command authorization, allowing you to control exactly which CLI commands each user can execute. RADIUS combines auth and authorization and does not support command-level control. Note: TACACS+ uses TCP (not UDP), and is Cisco proprietary (not an open standard). See AAA TACACS+ Configuration and AAA Local vs RADIUS.

5. An admin runs show ip ssh and sees "SSH Enabled - version 1.99." What does this indicate and what should be done?

Correct answer is C. Version "1.99" means the device supports both SSH v1 and v2. SSH v1 has well-documented cryptographic vulnerabilities and must be disabled. Configure ip ssh version 2 to enforce SSHv2 only and prevent clients from downgrading. See SSH Explained and SSH Configuration.

6. A device is configured with login block-for 90 attempts 3 within 30. An attacker makes 3 failed attempts in 25 seconds. What happens to ALL subsequent login attempts?

Correct answer is A. The login block-for command activates quiet mode — blocking ALL login attempts from ALL sources for the specified duration (90 seconds here). It is not source-IP specific unless you configure a login quiet-mode access-class ACL to exempt trusted management hosts. See Login Security & Brute-Force Protection.

7. Which privilege level on Cisco IOS provides full access to all commands including configure terminal?

Correct answer is D. Privilege level 15 is full privileged EXEC mode — it grants access to all IOS commands including configure terminal. Level 1 is User EXEC (limited read-only commands including ping and traceroute), and levels 2–14 are custom-defined. Level 0 has only five basic commands.

8. A network admin wants remote CLI access to a switch but Telnet is blocked by corporate policy. The switch has no RSA keys generated. Which sequence of commands correctly enables SSH access?

Correct answer is B. SSH requires: (1) a hostname set, (2) an IP domain name configured, (3) an RSA key pair generated with crypto key generate rsa modulus 2048, (4) ip ssh version 2 to enforce SSHv2, and (5) transport input ssh on the VTY lines. Without the RSA key, SSH cannot function. See the full walkthrough at SSH Configuration.

9. What does service password-encryption actually do — and what are its limitations?

Correct answer is A. service password-encryption applies Cisco's Type 7 encoding — a reversible cipher that only prevents shoulder-surfing. It can be decoded in seconds using freely available tools. For actual security, always use the secret keyword (Type 5 MD5 or Type 9 scrypt) which produces a one-way hash that cannot be reversed. Verify with show running-config | section username.

10. An enterprise network has 80 Cisco routers and switches. The security team requires per-command authorization so that NOC operators can run show commands but cannot make configuration changes. Which solution best meets this requirement?

Correct answer is C. TACACS+ uniquely supports per-command authorization via aaa authorization commands — allowing centralized control over exactly which IOS commands each user or group can execute across all 80 devices. RADIUS does not support command-level authorization. Local authentication does not scale to 80 devices. Privilege level 1 alone cannot restrict specific commands within a level. See AAA TACACS+ Configuration.

← Back to Home