07-26-2024 09:18 AM
I'm having trouble accessing a user account (2 characters) and password (4 characters) created on a 9300 switch. This exact account was working fine on a 3850 switch. Were any changes made as far as minimum requirements for user accounts?
07-26-2024 09:37 AM - edited 07-26-2024 09:38 AM
Hi @hmc2500
Not per device but per IOS-XE version it is possible to stablish credential policy.
enable
configure terminal
aaa new-model
aaa common-criteria policy policy-name
char-changes number
max-length number
min-length number
numeric-count number
special-case number
exit
username username common-criteria-policy policy-name password password
end
07-26-2024 07:48 PM - edited 07-26-2024 07:56 PM
The switch is running IOS XE version17.09.05.
I do see the policy is configurable:
username user1 common-criteria-policy policy1 password password1
We use local accounts, and not aaa.
Are these policies enabled by default?
07-26-2024 09:42 AM
sorry can you mode elaborate
MHM
07-27-2024 07:34 PM
I have a few questions which I hope might help us find the issue:
- The OP says "I'm having trouble accessing a user account". Am I correct in assuming that this is when the user ID is attempting access to the switch? Or something else?
- When you attempt access with this user ID are any messages generated in the logs?
- Was this user ID/password manually configured or configured by cut and paste from some source?
- When the user ID was configured was there any response generated (in the configuration session or in syslog)?
- Can you do a show run and confirm that credentials are there as expected?
07-28-2024 10:46 AM - edited 07-28-2024 10:48 AM
- The OP says "I'm having trouble accessing a user account". Am I correct in assuming that this is when the user ID is attempting access to the switch? Or something else?
Yes, when the user id is attempting to access the switch
- When you attempt access with this user ID are any messages generated in the logs?
I see nothing related to the user in the logs.
- Was this user ID/password manually configured or configured by cut and paste from some source?
Manually
- When the user ID was configured was there any response generated (in the configuration session or in syslog)?
No syslog configured. I don't see anything in the logs locally on the switch.
- Can you do a show run and confirm that credentials are there as expected?
Yes, I can see it just like I can see the other local account that works fine. The account I'm having trouble with has a 2 character username and a 6 character password. The other local account that works has a 13 character username and 8 character password that has complex symbols included.
07-28-2024 03:48 PM
Thank you for the additional information. It is helpful to know that the user name/password does show up in the current running config. And helpful to know that the other configured user name does work.
One of my thoughts in reading the OP was that perhaps there was some security policy involved (perhaps minimum number of characters. complex characters, etc). But if the user was manually configured, that there were no error messages when the user was configured, and that the user does show up in running config, then it is hard to believe that it was a policy violation.
I am wondering about the possibility that there was a mistake in entering the user/password (especially for the password perhaps an upper/lower case entry or a mistyped digit). Can you remove the current configured user, verify that it no longer shows up in running config, and then enter the user/password again?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide