取消
显示结果 
搜索替代 
您的意思是: 
cancel
1758
查看次数
0
有帮助
4
回复

各位大神,请教个密码策略配置问题,谢谢啊!

349797592@qq.com
Spotlight
Spotlight

349797592qqcom_1-1702285016371.png

这边公司的思科防火墙型号为ASA5555,如上面show version所示, 现在要配置两项功能:

1.口令复杂度策略、口令有效期   //就是密码设置一个过期时间,到了时间必须修改相应的密码,并且密码必须要设置符合设置的复杂度策略.

2.登录多少次失败就会被锁定比如几分钟的限定.

我这边命令尝试很多种方法都不行,好像官方也找不到对应的资料,跪求大神啊,有偿处理这个问题.

 

4 条回复4

349797592@qq.com
Spotlight
Spotlight

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#pgfId-1711061
找到这个官方连接,看到连接以下步骤的说明:
第一说明密码过期有个问题

  Command Purpose

Step 1

password-policy lifetime days  

ciscoasa(config)# password-policy lifetime 180

(Optional) Sets the interval in days after which passwords expire for remote users (SSH, Telnet, HTTP); users at the console port are never locked out due to password expiration. Valid values are between 0 and 65536 days. The default value is 0 days, a value indicating that passwords will never expire.

7 days before the password expires, a warning message appears. After the password expires, system access is denied to remote users. To gain access after expiration, do one of the following:

  • Have another administrator change your password with the username command.
  • Log in to the physical console port to change your password.

Step 2

password-policy minimum-changes value  

ciscoasa(config)# password-policy minimum-changes 2

(Optional) Sets the minimum number of characters that you must change between new and old passwords. Valid values are between 0 and 64 characters. The default value is 0.

Character matching is position independent, meaning that new password characters are considered changed only if they do not appear anywhere in the current password.

Step 3

password-policy minimum-length value  

ciscoasa(config)# password-policy minimum-length 8

(Optional) Sets the minimum length of passwords. Valid values are between 3 and 64 characters. We recommend a minimum password length of 8 characters.

Step 4

password-policy minimum-uppercase value  

ciscoasa(config)# password-policy minimum-uppercase 3

(Optional) Sets the minimum number of upper case characters that passwords must have. Valid values are between 0 and 64 characters. The default value is 0, which means there is no minimum.

Step 5

password-policy minimum-lowercase value  

ciscoasa(config)# password-policy minimum-lowercase 6

(Optional) Sets the minimum number of lower case characters that passwords must have. Valid values are between 0 and 64 characters. The default value is 0, which means there is no minimum.

Step 6

password-policy minimum-numeric value   ciscoasa(config)# password-policy minimum-numeric 1

(Optional) Sets the minimum number of numeric characters that passwords must have. Valid values are between 0 and 64 characters. The default value is 0, which means there is no minimum.

Step 7

password-policy minimum-special value   ciscoasa(config)# password-policy minimum-special 2

(Optional) Sets the minimum number of special characters that passwords must have. Valid values are between 0 and 64 characters. Special characters include the following: !, @, #, $, %, ^, &, *, '(‘ and ‘)’. The default value is 0, which means there is no minimum.

Step 8

password-policy authenticate enable   ciscoasa(config)# password-policy authenticate enable

(Optional) Sets whether users must change their password using the change-password command, instead of letting users change their password with the username command. The default setting is disabled: a user can use either method to change their password.

If you enable this feature, if you try to change your password with the username command, the following error message appears:

ERROR: Changing your own password is prohibited  

You also cannot delete your own account with the clear configure username command. If you try, the following error message appears:

ERROR: You cannot delete all usernames because you are not allowed to delete yourself  

349797592@qq.com
Spotlight
Spotlight

官网找到以下的链接信息:https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#pgfId-1711061
以上链接打开后,有个设置密码过期的时间,如表中红色框框所表示的命令:
比如:ASA防火墙配置了该ciscoasa(config)# password-policy lifetime 180  设置了 180天密码过期,如果密码过期了,那么按照官方的说法,如果目前我只设置一个管理员账号admin,当时间过期后,看了好像是密码过期无法通过ssh远程登录用admin的账号登录,必须通过物理控制台,也就是必须到现场接上console线进行登录更改密码是吗?
但是有一个疑问点,就是配置密码180天过期命令后,如果密码过期了,按照链接的说明,就是【有另一个管理员密码更改的 用户名 的命令】,看了这个说明不理解的就是,这个配置了180天过期的命令,不是针对所有管理员账号的吗,按照上面说明的意思好像是密码180天过期后,另外一个管理员可以远程ssh更改另外一个管理员的密码,这样就不用到现场链接物理控制台console吧,但是我想过期后所有管理员都应该都ssh远程登录不了,那么怎么说另外一个管理员能登录去更改另外一个管理员的密码呢?就很奇怪理解不了,求解呀各位大神.

  Command Purpose

Step 1

password-policy lifetime days  

ciscoasa(config)# password-policy lifetime 180

(Optional) Sets the interval in days after which passwords expire for remote users (SSH, Telnet, HTTP); users at the console port are never locked out due to password expiration. Valid values are between 0 and 65536 days. The default value is 0 days, a value indicating that passwords will never expire.

7 days before the password expires, a warning message appears. After the password expires, system access is denied to remote users. To gain access after expiration, do one of the following:

  • Have another administrator change your password with the username command.
  • Log in to the physical console port to change your password.

Step 2

password-policy minimum-changes value  

ciscoasa(config)# password-policy minimum-changes 2

(Optional) Sets the minimum number of characters that you must change between new and old passwords. Valid values are between 0 and 64 characters. The default value is 0.

Character matching is position independent, meaning that new password characters are considered changed only if they do not appear anywhere in the current password.

Step 3

password-policy minimum-length value  

ciscoasa(config)# password-policy minimum-length 8

(Optional) Sets the minimum length of passwords. Valid values are between 3 and 64 characters. We recommend a minimum password length of 8 characters.

Step 4

password-policy minimum-uppercase value  

ciscoasa(config)# password-policy minimum-uppercase 3

(Optional) Sets the minimum number of upper case characters that passwords must have. Valid values are between 0 and 64 characters. The default value is 0, which means there is no minimum.

Step 5

password-policy minimum-lowercase value  

ciscoasa(config)# password-policy minimum-lowercase 6

(Optional) Sets the minimum number of lower case characters that passwords must have. Valid values are between 0 and 64 characters. The default value is 0, which means there is no minimum.

Step 6

password-policy minimum-numeric value   ciscoasa(config)# password-policy minimum-numeric 1

(Optional) Sets the minimum number of numeric characters that passwords must have. Valid values are between 0 and 64 characters. The default value is 0, which means there is no minimum.

Step 7

password-policy minimum-special value   ciscoasa(config)# password-policy minimum-special 2

(Optional) Sets the minimum number of special characters that passwords must have. Valid values are between 0 and 64 characters. Special characters include the following: !, @, #, $, %, ^, &, *, '(‘ and ‘)’. The default value is 0, which means there is no minimum.

Step 8

password-policy authenticate enable   ciscoasa(config)# password-policy authenticate enable

(Optional) Sets whether users must change their password using the change-password command, instead of letting users change their password with the username command. The default setting is disabled: a user can use either method to change their password.

If you enable this feature, if you try to change your password with the username command, the following error message appears:

ERROR: Changing your own password is prohibited  

You also cannot delete your own account with the clear configure username command. If you try, the following error message appears:

ERROR: You cannot delete all usernames because you are not allowed to delete yourself  



349797592@qq.com
Spotlight
Spotlight

349797592qqcom_0-1702307206563.png

翻译成中文意思就是:

349797592qqcom_1-1702307243735.png

看了ADSM的界面配置,没有这个密码登陆输入比如三次错误被锁定几分钟的配置选项,好像这台ASA5555防火墙不支持这个密码策略的几次密码输入错误被锁定固定时间的配置选项.

 

 

有哪位童鞋指导一下这个几次密码输入错误被锁定固定时间的配置选项吗,还是这台ASA5555型号不支持这个选项啊

快捷链接