Solucionado: add local user with secret 8 password and common-criteria policy

andresaguadoperez · ‎04-13-2023

Hi all,

I´m trying to get a configuration in order to create a local user in the switch with secret 8 password and belonging to a common-criteria policy in order to have a complex password, but i have not achieve it.

first i have created CC policy with some threshold

aaa common-criteria policy TEST

second, i have enable algoritm-type

enable algorithm-type sha256 secret peloto123

finally, i have tried creating user but i can´t combine common-criteria policy with secret 8 password for the user, becuase if i type common-criteria option, i can only include password option, and if it type secret 8 password i can´t include common-criteria option.

Do you know if this configuration is compatible or it depends on IOS version?, in my case 15.2

thanks

andres

MHM Cisco World · ‎04-13-2023

username username common-criteria-policy AAA-CC algorithm-type md5 | scrypt | sha256 secret cleartext-secret <<- check this

Ver la solución en mensaje original publicado

Edson A. Hernandez · ‎04-13-2023

Below is an example of how to create a policy. These are already applied to the users.

Device(config)# aaa new-model
Device(config)# aaa common-criteria policy policy1
Device(config-cc-policy)# upper-case 1
Device(config-cc-policy)# max-length 20
Device(config-cc-policy)# min-length 6
Device(config-cc-policy)# numeric-count 1
Device(config-cc-policy)# exit
Device(config)# username user1 common-criteria-policy policy1 algorithm-type sha25 secret Password1

I share the official guide of cisco

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst_microswitches/software/releases/15_2_8_e/configuration_guide/security/b_1528e_security_cms_cg/password_strength_and_management.html

**Please rate the answer if this information was useful***

Ver la solución en mensaje original publicado

MHM Cisco World · ‎04-13-2023

username username common-criteria-policy AAA-CC algorithm-type md5 | scrypt | sha256 secret cleartext-secret <<- check this

Edson A. Hernandez · ‎04-13-2023

Below is an example of how to create a policy. These are already applied to the users.

Device(config)# aaa new-model
Device(config)# aaa common-criteria policy policy1
Device(config-cc-policy)# upper-case 1
Device(config-cc-policy)# max-length 20
Device(config-cc-policy)# min-length 6
Device(config-cc-policy)# numeric-count 1
Device(config-cc-policy)# exit
Device(config)# username user1 common-criteria-policy policy1 algorithm-type sha25 secret Password1

I share the official guide of cisco

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst_microswitches/software/releases/15_2_8_e/configuration_guide/security/b_1528e_security_cms_cg/password_strength_and_management.html

**Please rate the answer if this information was useful***

hemmerling · ‎08-08-2023

What the OP was trying to say was that they can pick either "algorithm-type" or "common-criteria-policy" for IOS 15.2, they are mutually exclusive. If you choose "common-criteria-policy", and without the ability to then use the command for algorithm-type, it will give you a type 9 password generated by scrypt and not a type 8 generated by sha256. If you chose to use "algorithm-type" you can not use the common-criteria-policy you created but it will be a type 8 password.
He was discovering that you can have one or the other but not both on 15.2 (like on a 2960X or 3560CX).
I don't know if it's a bug or it was meant to be that way, but it's been that way for at least 7 years, I just found his post while looking to see if someone has answered which yet, guess I'll try back in another 7.