Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9254
Views
5
Helpful
1
Replies

AAA Minimum Password Length Policy on Switch IOS 15.0 Only Works with Level 7 Passwords

bhenning
Level 1
Level 1

‎11-06-2013 03:09 PM - edited ‎03-10-2019 09:04 PM

I've been trying to configure a minimum password length policy on a 2960 switch running 15.0(2)SE2. The command "security passwords min-length x" that is so often offered as a solution for IOS switches and routers does not exist in 15.0SE for switches. The only thing I've found is the following document that explains how to create a password policy using the AAA "Common Criteria" configuration. This apparently is only a supported feature on IOS 15.0(2)SE and 15.1(1)SY. Pretty limited.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-aaa-comm-criteria-pwd.html

Per the above link, I created the following configuration that forces a minimum password length of six characters (max of 64), requiring a combination of at least 1 upper, 1 lower, 1 special-character, and 1 number.

aaa new-model

!

!

aaa authentication login default local

!

aaa common-criteria policy PassPolicy

min-length 6

max-length 64

numeric-count 1

upper-case 1

lower-case 1

special-case 1

char-changes 2

The next step is to apply the policy to a user account with the following:

username myuser common-criteria-policy PassPolicy password mypassword

In the above example, the password 'mypassword' fails because it does not meet the policy 'PassPolicy', which is good. The only way you can tell that it fails is the new user account doesn't show up in the config). The following example will comply with the policy and add the account:

username myuser common-criteria-policy PassPolicy password Th3G00dP@ssw0rd

But this only works if you're using Level 7 easily crackable passwords. In my environment, we use the username 'secret' keyword for stronger encryption. I've found that this ignores the password policy and will add the username any way regardless of the password you use. For example:

username myuser common-criteria-policy PassPolicy secret mypassword

The switch will ignore your policy and add the account any way. So basically, if you want to enforce a password policy on a Cisco switch, you have to sacrifice your stronger password encryption to do it!

Would love to see Cisco resolve this. Many compliance auditors are wanting to see password enforcements on switches nowadays, along with strong password encryption. If anyone knows a workaround or solution to this (other than using a TACACS+ or RADIUS server), please share. Thanks!

7 people had this problem
Labels:
1 Reply 1

JohnLuce95601
Level 1
Level 1

‎03-25-2021 02:13 PM

In the 3560CX line which is close to the 2960 the latest version of the IOS [15.2.(7)E3] allows you to insert a type 5/8/9 passwords. We were running into the same problem on the device with 15.2.(7)E1. Looks like they may have fixed that.

0 Helpful
Customers Also Viewed These Support Documents