common-criteria conriguration

andresaguadoperez · ‎03-28-2023

Hi all, I´m trying to configure common-criteria policy so local users have a minimal password complexity, but, after following instruccions in manual https://www.cisco.com/en/US/docs/ios-xml/ios/15-0se/features/sec-aaa-comm-criteria-pwd.html, and configured local user with my new CC policy, I don´t know how to verify in configuracion that this user has really the policy applied.

Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa common-criteria policy policy1
Device(config-cc-policy)# char-changes 4
Device(config-cc-policy)# max-length 20
Device(config-cc-policy)# min-length 6
Device(config-cc-policy)# numeric-count 2
Device(config-cc-policy)# special-case 2
Device(config-cc-policy)# exit
Device(config)# username user1 common-criteria-policy policy1 password password1
Device(config)# end

I can´t see this configuracion when running "sh run", Anybody knows how can i review this configuration?

Thanks

andres

Edson A. Hernandez · ‎03-28-2023

The configuration you have entered is stored in the device's running configuration but it may not be visible in the output of the "show running-config" command because the "username" configuration is a sensitive configuration that is encrypted by default to prevent the password from being visible in the configuration file.

To verify that the common-criteria policy is applied to the local user, you can use the "show aaa local user" command to display the user's configuration, including the policy that is applied to the user. Here's an example:

Device# show aaa local user user1
User: user1 Authen Type: LOCAL
Access List: None
Common-Criteria Password Policy:
Minimum Length: 6
Maximum Length: 20
Numeric Count: 2
Special Character Count: 2
Character Changes: 4

**Please rate the answer if this information was useful***

andresaguadoperez · ‎03-30-2023

Hi thanks Edson, i don´t know if it's a IOS version behaviour, but show aaa local user command is not recognized. I have only two optiones under "show aaa local user"; blocked or lockout

Another idea?

thanks

andres

Edson A. Hernandez · ‎03-30-2023

you can also use the "show running-config all" command to see the complete configuration of your device, including the configuration lines related to your Common Criteria policy and local user.

To filter the output and only display the relevant configuration lines, you can use the "include" or "section" option. For example:

show running-config all | include aaa|username

show running-config all | section aaa common-criteria policy

andresaguadoperez · ‎04-10-2023

hi thanks edson but i think that my problem is really my ignorance about cisco. i have been doing other test in order to configure a user belonging a common criteria policy, and the unique option i can user is "password", but this is a ver poor encryption and i would like to be more secure with "secret" option, but if i try creating user with "secret" option i can´t use common-criteria in username command. So i think that the first idea i should understand is if common-criteria is compatible with secret password