In the past when securing the login to a router using local passwords (no TACACS or Radius Servers), there would be several places where passwords had to be defined. Minimal passwords required so that telnet access would work were:

enable secret secretpw
line vty 0 4
password telnetpw

Another password needed to be assigned to secure logins via the console port:

line con0
password consolepw

If there was a modem attached for remote out-of-band access, yet another password was assigned to the auxiliary port:

line aux 0
password modempw

With ‘tripple A’ or AAA, access can be defined in a more centralized manner – regardless of the database being used (local, TACACS, Radius, etc…). Consider the following configuration:

enable secret secretpw
username Admin privilege 15 secret adminpw (engineer login)
username Monitor privilege 1 secret monitorpw (helpdesk login for basic troubleshooting only)
aaa authentication login default local enable (the default authentication list will cover logins via all sources – Console, AUX, and Telnet)
aaa authorization console (consider privilege levels at console logins)
aaa authorization exec default local (consider privilege levels at telnet logins)

This configuration will produce:

An enable prompt for the admin login:

User Access Verification

Username: admin
Password:

R1#

A non-privileged router prompt for the monitor login:

User Access Verification

Username: monitor
Password:

R1>