Re: minimum username/password requirements for 9300?

hmc2500 · ‎07-26-2024

I'm having trouble accessing a user account (2 characters) and password (4 characters) created on a 9300 switch. This exact account was working fine on a 3850 switch. Were any changes made as far as minimum requirements for user accounts?

Flavio Miranda · ‎07-26-2024

Hi @hmc2500

Not per device but per IOS-XE version it is possible to stablish credential policy.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-16-12/sec-usr-aaa-xe-16-12-book/sec-aaa-comm-criteria-pwd.html#GUID-CD4DDC3F-1DC1-467F-BC14-DD40BCC21A4D

enable
configure terminal
aaa new-model
aaa common-criteria policy policy-name
char-changes number
max-length number
min-length number
numeric-count number
special-case number
exit
username username common-criteria-policy policy-name password password
end

hmc2500 · ‎07-26-2024

The switch is running IOS XE version17.09.05.

I do see the policy is configurable:

username user1 common-criteria-policy policy1 password password1

We use local accounts, and not aaa.

Are these policies enabled by default?

MHM Cisco World · ‎07-26-2024

sorry can you mode elaborate

MHM

Richard Burts · ‎07-27-2024

I have a few questions which I hope might help us find the issue:

- The OP says "I'm having trouble accessing a user account". Am I correct in assuming that this is when the user ID is attempting access to the switch? Or something else?

- When you attempt access with this user ID are any messages generated in the logs?

- Was this user ID/password manually configured or configured by cut and paste from some source?

- When the user ID was configured was there any response generated (in the configuration session or in syslog)?

- Can you do a show run and confirm that credentials are there as expected?

HTH

Rick

hmc2500 · ‎07-28-2024

- The OP says "I'm having trouble accessing a user account". Am I correct in assuming that this is when the user ID is attempting access to the switch? Or something else?

Yes, when the user id is attempting to access the switch

- When you attempt access with this user ID are any messages generated in the logs?

I see nothing related to the user in the logs.

- Was this user ID/password manually configured or configured by cut and paste from some source?

Manually

- When the user ID was configured was there any response generated (in the configuration session or in syslog)?

No syslog configured. I don't see anything in the logs locally on the switch.

- Can you do a show run and confirm that credentials are there as expected?

Yes, I can see it just like I can see the other local account that works fine. The account I'm having trouble with has a 2 character username and a 6 character password. The other local account that works has a 13 character username and 8 character password that has complex symbols included.

Richard Burts · ‎07-28-2024

Thank you for the additional information. It is helpful to know that the user name/password does show up in the current running config. And helpful to know that the other configured user name does work.

One of my thoughts in reading the OP was that perhaps there was some security policy involved (perhaps minimum number of characters. complex characters, etc). But if the user was manually configured, that there were no error messages when the user was configured, and that the user does show up in running config, then it is hard to believe that it was a policy violation.

I am wondering about the possibility that there was a mistake in entering the user/password (especially for the password perhaps an upper/lower case entry or a mistyped digit). Can you remove the current configured user, verify that it no longer shows up in running config, and then enter the user/password again?

HTH

Rick