Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1853
Views
0
Helpful
6
Replies

Password Strength and Management for Common Criteria IOS XE

fuhrersk8
Level 3
Level 3

‎08-04-2021 01:19 PM

Hello;

 

Is there a way to implement Password Strength and Management for Common Criteria while retaining the secret password?

 

If not, how can a minimum password length be enforced in IOS XE 17.3.3?

 

Thanks for your support.

Regards, 

Labels:
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎08-04-2021 01:24 PM

Most of the network devices are managed with TACACS / Radius (they intern connect to AD or any other sources) that source can define what kind of length password should be.

 

if you looking Local (we use most of the time fall back not many accounts, only critical fall back used here)

 

some reference local accounts :

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-16-10/sec-usr-aaa-xe-16-10-book/sec-aaa-comm-criteria-pwd.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

fuhrersk8
Level 3
Level 3
In response to balaji.bandi

‎08-04-2021 01:34 PM

Correct.

We need to enforce password strength for our fallback local account as part of our security policy.

Local account is used only when TACACS+ fails.

Is there a way to implement this with secret passwords?

Thanks.
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to fuhrersk8

‎08-04-2021 02:11 PM

 

Is there a way to implement this with secret passwords?

 

 

above document provide the steps -

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

fuhrersk8
Level 3
Level 3
In response to fuhrersk8

‎08-04-2021 02:52 PM

Hello and thank you;

This is my problem:

“For local users that have been defined using the username username common-criteria-policy policy-name secret 5|8|9 commands, they are not evaluated against the password common criteria. Only the common criteria lifetime is applied to the username.”


How to enforce password strength when using secret instead of password?

We use secret and need to enforce password strength for local users. Is there a way?

Hope this helps.
0 Helpful

paul driver
VIP
VIP

‎08-04-2021 03:40 PM - edited ‎08-04-2021 03:40 PM

Hello

@fuhrersk8 wrote:


“For local users that have been defined using the username username common-criteria-policy policy-name secret 5|8|9 commands, they are not evaluated against the password common criteria. Only the common criteria lifetime is applied to the username.” <-- not sure what this means TBH

 

If not, how can a minimum password length be enforced in IOS XE 17.3.3?

 

FYI

password encryption aes
key config-key password-encrypt
username xxx privilege 15 algorithm-type scrypt secret xxxxx  < type 9>
security authentication failure rate x log
security passwords min-length x
aaa authentication attempts login x


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

fuhrersk8
Level 3
Level 3
In response to paul driver

‎08-05-2021 05:42 AM

Thanks Paul;

Even with Type 9 passwords, the common criteria will not be applied as per the documentation.
On the other hand, we do not want to rely on a master key for encryption. Trying to simplify things.

I may be missing the point, please correct me if Im wrong.

Thanks.
0 Helpful
Customers Also Viewed These Support Documents