cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10584
Views
5
Helpful
6
Replies
Beginner

Enforce password complexity for local users

Is it possbile to enforce password complexity for users local to Cisco ASA firewalls and/or IOS devices? Not by going through an AAA server, but local users configured within the ASA/IOS itself?

I appologize if this is not the correct forum to ask this question.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Enforce password complexity for local users

Hi,

I don't think it is possible.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

6 REPLIES 6
Highlighted
Cisco Employee

Enforce password complexity for local users

Hi,

I don't think it is possible.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Beginner

Enforce password complexity for local users

When does Cisco plan on implementing password complexity enforcement on local accounts for IOS/CatOS in support of NERC CIP-007 R5.3??  For the utility industry, it's getting to the point that if the gear can't meet certain CIP requirements, we'll find a vendor who can.

Beginner

Enforce password complexity for local users

A little late to the game here, but this feature is actually implemented in IOS. See below.

IOS Security Command Reference - aaa password restriction

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.html#wp1080825

Product Security Baseline: Password Encryption and Complexity Restrictions

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_sec_4cli.html#wp1068022

Please note that you can use an external password management system. This is typically what is deployed when there are security restrictions required for passwords. An external AAA system (TACACS+, Radius, Active Directory, etc.) is always preferred when possible.

Thanks,

Brendan

Beginner

Enforce password complexity for local users

Thanks Brendan.  Do you know if this will be available on the ASA's?  Like the gentleman from Entergy said, it's required for NERC CIP even on local accounts.  And yes, many in the utility industry are getting impatient with all vendors who are slow to help us meet compliance.  D uou realize every entity who has a Cisco ASA has to fill out and submit forms - every quarter - stating that our firewall's local accounts don't meet password complexity requirements?  I'm very happy to see this in IOS, that's half the battle, for now.

Beginner

Enforce password complexity for local users

I haven't heard anything about the ASA implementing this for local passwords. The best avenue for feature enhancement requests is through your Cisco Account Team. If you don't have an account team, your Partner should help to put you in touch with them.

The way I read 5.3, it is best effort from the software standpoint. Your organization should follow these guidelines regardless of enforcement by the device. A centrally located authentication server with complex password requirements is the real solution.

R5.3 At a minimum, the Responsible Entity shall require and use passwords, subject to the following, as technically feasible:
  R5.3.1. Each password shall be a minimum of six characters.

  R5.3.2. Each password shall consist of a combination of alpha, numeric, and “special” characters.
  R5.3.3. Each password shall be changed at least annually, or more frequently based on risk.

Thanks,

Brendan

Beginner

Enforce password complexity for local users

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp580804

It looks like ASA 8.4(4) will comply with CIP-007-3 R5.

the IOS complexity setting does not though (it's the same as the Windows complexity settings, which requires 3 of the 4 upper/lower/special/number...CIP requires one alpha, one numeric, one special).  The ASA settings appear to be granular enough to meet the requirement.  I haven't tested though, I will the week of June 4.

brquinn, thanks for the laugh, but the "where technically feasable" (or WTF) clause does not mean you can just ignore it if your software doesn't support it.  When the WTF clause is invoked, the utility is required to file a Techincal Feasability Exception, or TFE.  You want to send shivvers down a utility compliance or IT person's spine?  Just mention TFE's.  Some utilities have one or more people dedicated to filing and updating TFE's, which have to be refiled every quarter.