1 00:00:00,710 --> 00:00:08,000 In the CCNA course, we've been discussing the use of local usernames and passwords, in other words, 2 00:00:08,390 --> 00:00:14,660 the username and password information is stored on each router or switch individually. 3 00:00:15,440 --> 00:00:20,930 So as an example, when I log on to this router, router 1 there's no authentication. 4 00:00:23,210 --> 00:00:31,780 But what we could do is create a username on the router and then go into the line console and specify 5 00:00:31,790 --> 00:00:37,730 login and either a line login or specify a local login. 6 00:00:38,780 --> 00:00:46,130 So now when we log on to the router, we are prompted to enter the username and password that works 7 00:00:46,130 --> 00:00:51,860 well when you have a small environment, but as you scale, it becomes a lot of work. 8 00:00:51,890 --> 00:00:56,620 So as an example, when I connect to router 2 there's no username and password. 9 00:00:57,020 --> 00:01:03,260 So what I need to do now is create a separate username and password on Router 2 10 00:01:04,720 --> 00:01:05,410 and then 11 00:01:06,370 --> 00:01:09,160 I need to remember to go into the line console 12 00:01:11,420 --> 00:01:18,420 and specify a log in local, and I mustn't forget to do that on the VTY lines as well. 13 00:01:19,490 --> 00:01:21,200 So logging back in, 14 00:01:22,590 --> 00:01:25,650 I'm now prompted for my username and password on Router 2 15 00:01:26,870 --> 00:01:34,040 but once again, when I connect to Router 3 there's no username and password and I have to specify 16 00:01:34,040 --> 00:01:34,560 that again. 17 00:01:34,940 --> 00:01:42,510 Now, that's not the only problem that we have to configure passwords locally on every device. 18 00:01:44,090 --> 00:01:48,200 So you've got to remember to do all that configuration 19 00:01:48,830 --> 00:01:54,290 but what you've also got to remember to do is to change your passwords on a regular basis. 20 00:01:55,840 --> 00:02:02,140 To implement good security practices, you should be changing your password on a regular basis, that 21 00:02:02,140 --> 00:02:10,050 means that we have to go to every device in the network and change the password on each device individually. 22 00:02:10,660 --> 00:02:12,820 In this example of only got five devices. 23 00:02:13,270 --> 00:02:21,160 But if you've got hundred or a thousand network devices, that's a lot of configuration that increases because 24 00:02:21,160 --> 00:02:25,040 you don't want your users sharing the same username and password. 25 00:02:25,810 --> 00:02:29,320 So if you've got another user in your environment 26 00:02:32,150 --> 00:02:41,450 you should set up that user account on every router, so as an example on Router 1, I can log in as 27 00:02:41,450 --> 00:02:41,990 Mary 28 00:02:43,140 --> 00:02:46,380 but I can't do that on Router 2. 29 00:02:48,370 --> 00:02:56,740 Because I haven't configured a username, Mary, on Router 2, so the management of usernames and passwords 30 00:02:56,740 --> 00:03:03,400 becomes very difficult when you have a local usernames and passwords configured on every device. 31 00:03:04,830 --> 00:03:11,010 So it makes sense to centralize your usernames and passwords on a central server. 32 00:03:11,430 --> 00:03:19,290 So in this example, we've got a user called admin, but we could add Mary or David to this database 33 00:03:19,590 --> 00:03:28,080 and then point every network device to the central ACS server, which means that we don't have to configure 34 00:03:28,290 --> 00:03:35,820 a local username and password on every device for every user that needs to access that device. 35 00:03:36,720 --> 00:03:43,650 The server can also be leveraged once again for 802.1x authentication, where you centralize 36 00:03:43,860 --> 00:03:51,870 the username and password authentication of users accessing the network through a triple A server or 37 00:03:52,140 --> 00:03:54,330 authentication, authorization, 38 00:03:54,480 --> 00:03:55,890 and accounting server.