Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1641
Views
3
Helpful
10
Replies

Secure ACS and Minimum Password Age

cybrsage
Level 1
Level 1

‎01-13-2016 07:11 AM - edited ‎03-10-2019 11:23 PM

The IRS requires all systems that process sensitive personal information, such as social security numbers, to have the passwords protected with many things, one of them being a minimum password age of 1 day being set on all password.  I cannot find how to do that with the Cisco ACS 5.7 TACACS+ appliance.

This can be found in IRS Pub 1075, Section 9.3.7.5 Authenticator Management (IA-5)

The information system must, for password-based authentication:
a. Enforce minimum password complexity of:
     1. Eight characters;
     2. At least one numeric and at least one special character;
     3. A mixture of at least one uppercase and at least one lowercase letter;
     4. Storing and transmitting only encrypted representations of passwords; and
b. Enforce password minimum lifetime restriction of one day;
c. Enforce non-privileged account passwords to be changed at least every 90 days;
d. Enforce privileged account passwords to be changed at least every 60 days;
e. Prohibit password reuse for 24 generations;
f. Allow the use of a temporary password for system logons requiring an immediate change to a permanent password; and
g. Password-protect system initialization (boot) settings

Any ideas, or is the Cisco product simply unusable for anything that must meet IRS requirements?

Labels:
0 Helpful
10 Replies 10

Jatin Katyal
Cisco Employee
Cisco Employee

‎01-13-2016 09:14 AM

Are you trying to find out password policy section for internal users. Check this out:

~Jatin
Preview file
974 KB

cybrsage
Level 1
Level 1
In response to Jatin Katyal

‎01-13-2016 09:29 AM

Thanks for the location.  Looking there, I do not see any way to set a minimum password age limit.  For example, the IRS requires the last 24 passwords to not be used.  Someone could change their password 24 times in a row (would take them several minutes) and go back to using the same exact password that had just expired.

With a Minimum Password Age of 1 Day, a person can only change their password once every 24 hours, which would prevent them from doing what I described, above - or at least make the take 24 days to do it.

Do you (or anyone), know of a way to get the ACS Server to enforce such a limitation?  To enforce a limit of one password change a day?

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to cybrsage

‎01-13-2016 09:40 AM

The only thing it has to set the password expiry days ( as I enter 1) and configure email reminder for the end user. The other option you can avail is to check an option "user must change password on next logon" inside internal user identity store.

- Jatin

~Jatin
0 Helpful

cybrsage
Level 1
Level 1
In response to Jatin Katyal

‎01-13-2016 09:44 AM

Thanks, but that setting (with a 1) will mean the password is only good for one day and then they have to change it...which means in a single month a user will need to change their password 28, 30, or 31 times.

I am looking to have them not be allowed to change their password more than 1 time a day, not to have the password good for only one day.

Thanks for replying, though!

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to cybrsage

‎01-13-2016 10:11 AM

Then why don't we use a feature "user must change password on next logon". This way they will be able to change their password very first time they login and that's it. Is that not suiting your requirement.

~Jatin
0 Helpful

cybrsage
Level 1
Level 1
In response to Jatin Katyal

‎01-13-2016 10:13 AM

What is to stop them from changing the password 5 times back to back?

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to cybrsage

‎01-13-2016 10:16 AM

If this is going to be prompted by a device like switch/router then they have no control over it. If they have access to User changeable password link ( UCP) and they remember their previous password then I agree we can't stop them.

So next question is, how you want them to change their password for the first time.

- Jatin

~Jatin
0 Helpful

cybrsage
Level 1
Level 1
In response to Jatin Katyal

‎01-13-2016 10:40 AM

Right now they can do either one, but I can limit them to using a router only.  How can I prevent them from changing the password two or more times in a single day if I use the router method only?

All the user has to do is SSH / Telnet to a router, enter their username, and hit ENTER instead of typing in their current password and it will prompt them to change their password.

What would prevent them from doing that twice or more times in a row?

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to cybrsage

‎01-13-2016 11:19 AM

Cool ! When you create a user account on ACS, please check this option "user must change password". Now when user establish a session on router via telnet / ssh, they will be prompted to change their password ( This would happen just once). The option you checked while creating an account will go off. Hence they will be prompted only once unless you go and check that option again in ACS for a specific user.

- Jatin

~Jatin
0 Helpful

cybrsage
Level 1
Level 1
In response to Jatin Katyal

‎01-13-2016 11:36 AM

How does that prevent them from connecting to a router, typing their username, and hitting ENTER instead of typing their password?  If they do that, it will prompt them to change their password right then.

This can be done over and over again, two or more times in a single day.  The IRS requires a limit that a password can only be changed one time a day and no more.

0 Helpful
Customers Also Viewed These Support Documents