Solved: Password Complexity for local accounts on ASA and Routers

Bmodlin · ‎12-01-2017

I know it is possible to set minimum password length on these devices, but can we configure password complexity options for local accounts on an ASA 5508 and/or an IOS router (i.e. ISR 4321)?

I am in the middle of an audit, and need to provide official proof if it is not possible.

Marvin Rhoads · ‎12-01-2017

Here's how to set password complexity on IOS:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-aaa-comm-criteria-pwd.html#GUID-F1D04ED0-FE16-4A0A-817E-DF9F222A617D

and on ASA:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#pgfId-1711061

Ideally you would be using external authentication tied back to your AD or other enterprise identity source and the local credential would only be for fallback purposes.

View solution in original post

Flavio Miranda · ‎12-01-2017

Hi @Bmodlin

Refers to this link:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#pgfId-1711061

-If I helped you somehow, please, rate it as useful.-

Marvin Rhoads · ‎12-01-2017

Here's how to set password complexity on IOS:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-aaa-comm-criteria-pwd.html#GUID-F1D04ED0-FE16-4A0A-817E-DF9F222A617D

and on ASA:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#pgfId-1711061

Ideally you would be using external authentication tied back to your AD or other enterprise identity source and the local credential would only be for fallback purposes.