Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14900
Views
10
Helpful
5
Replies

Password complexity enforcement

Faly Razafinanja
Level 1
Level 1

‎02-03-2014 12:34 PM - edited ‎03-07-2019 05:58 PM

I am looking for a way to enforce password complexity on the local passwords (not TACACAS/ACS/RADIUS) on a router or a swtich. i.e. enable password, username/password and so on require uppercase,lowercase,numeric, non-alphanumeric.... The requirement is I was able to find a few mentions of this not being possible but all the posts are a few years old. I thought I saw this feature available on ios release 15.0 but I cannot find the article saying so any more. Does anyone know of a command that will allow me to do this?                   

2 people had this problem
Labels:
0 Helpful
5 Replies 5

John Blakley
VIP Alumni
VIP Alumni

‎02-03-2014 01:01 PM

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-aaa-comm-criteria-pwd.html#GUID-DD1BD8BD-BC5E-4DC1-B08C-F860D2C82AEF

It's supported, but I'm not sure what IOS/platform you're on...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

cadet alain
VIP Alumni
VIP Alumni
In response to John Blakley

‎02-03-2014 11:19 PM

Hi John,

Really cool feature I wasn't aware of  +5 for this man

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to cadet alain

‎02-04-2014 03:31 AM

Thanks Alain

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

ali.razzaq1
Level 1
Level 1
In response to John Blakley

‎08-22-2019 05:09 AM

Even if we apply given procedure it does not enforce us to use policy only as we can also configure username and password without policy applied. Surprisingly, without policy applied will also be able to access the device.

 

Another drawback of configuring password policy is that it support only type 7 encrypted password. 

 

Is there any options to enforce policy and keeping the password secured with secret.

0 Helpful

paul driver
VIP
VIP

‎02-03-2014 03:18 PM

Hello

See if these are applicable?

security passwords min-length x

security authentication failure rate x log

enable secret xxxxx

aaa new-model

aaa authentication login secure

aaa authentication password-prompt backup_Passwd:

aaa authentication username-prompt backup_Username:

username ???? privilege 15 password xxxxx

ip domain-name xxxx.com

crypto key zero

crypto key generate rsa general-keys modulus 1024|2048

ip ssh time-out xx

ip ssh authentication-retries x

ip ssh version 2

line con

login authentication secure

exec-timeout x x

transport output telnet

line aux 0

login authentication secure

exec-timeout x x

transport output telnet

line vty 0 988

login authentication secure

transport input ssh

exec-timeout x x

absolute-timeout x x

login block-for 10 attempts 2 within 5

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card