Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11052
Views
15
Helpful
5
Replies

ASA Local User Password Policy

aniketalashe
Level 1
Level 1

‎09-03-2018 06:04 AM - edited ‎02-21-2020 08:11 AM

Hi All,

 

We have an ASA with local admin users with different privilege levels (1 to 15). We have received recommendation to configure password policy as part of configuration review.

 

Request help to understand if the password policy applies to local admin accounts as well?

 

PASSWORD-POLICY LIFETIME 30

PASSWORD-POLICY MINIMUM-CHANGES 4

PASSWORD-POLICY MINIMUM-UPPERCASE 1

PASSWORD-POLICY MINIMUM-LOWERCASE 1

PASSWORD-POLICY MINIMUM-NUMERIC 1

 

Thank you.

 

Regards,

Aniket

0 Helpful
5 Replies 5

Daniele Giordano
Level 8
Level 8

‎09-03-2018 07:07 AM

Hi, according to this documentation the answer is yes.

 

Link: https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#88174

 

See the chapter "Configuring a Password Policy for Local Database Users".

 

Regards.

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-03-2018 07:43 AM

I know a lot of auditors are making those recommendations these days since it's in the standard scanning tools' security checks.

 

Personally I prefer to push back on this one. I'm of the opinion that the right place to enforce password policy of 30 day expiration is on the external authentication server's backend identity store (i.e. like RADIUS or TACACS server referencing Active Directory). Make the LOCAL method fallback only and use a strong password that's securely stored externally (like in a shared LastPass database secured with 2FA).

 

The local user credentials on the ASA should be seldom if ever used (only when the external authentication server is down). If they expire after 30 days you won't be able to get it when you need it most.

ahmadrasheed
Level 1
Level 1
In response to Marvin Rhoads

‎10-16-2023 10:18 PM

Is there any password policy that comes by default? If yes, where can we see the configured policy, if no is it possible to check somewhere that mentions no policy/minimum requirements are configured?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ahmadrasheed

‎10-17-2023 09:39 AM

You can see the default password policy using "show run all | i password-policy". The "all" keyword displays otherwise hidden defaults.

Here's an example:

# show run all | i password-policy
password-policy minimum-length 3
password-policy minimum-changes 0
password-policy minimum-lowercase 0
password-policy minimum-uppercase 0
password-policy minimum-numeric 0
password-policy minimum-special 0
password-policy lifetime 0
no password-policy authenticate-enable
no password-policy username-check
no password-policy reuse-interval
#

 

0 Helpful

ahmadrasheed
Level 1
Level 1
In response to Marvin Rhoads

‎10-17-2023 07:31 PM - edited ‎10-18-2023 12:12 AM

It worked. thankyou Marvin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card