Cisco Support Community
Community Member

AAA Minimum Password Length Policy on Switch IOS 15.0 Only Works with Level 7 Passwords

I've been trying to configure a minimum password length policy on a 2960 switch running 15.0(2)SE2. The command "security passwords min-length x" that is so often offered as a solution for IOS switches and routers does not exist in 15.0SE for switches. The only thing I've found is the following document that explains how to create a password policy using the AAA "Common Criteria" configuration. This apparently is only a supported feature on IOS 15.0(2)SE and 15.1(1)SY. Pretty limited.

Per the above link, I created the following configuration that forces a minimum password length of six characters (max of 64), requiring a combination of at least 1 upper, 1 lower, 1 special-character, and 1 number.

aaa new-model



aaa authentication login default local


aaa common-criteria policy PassPolicy

min-length 6

max-length 64

numeric-count 1

upper-case 1

lower-case 1

special-case 1

char-changes 2

The next step is to apply the policy to a user account with the following:

username myuser common-criteria-policy PassPolicy password mypassword

In the above example, the password 'mypassword' fails because it does not meet the policy 'PassPolicy', which is good. The only way you can tell that it fails is the new user account doesn't show up in the config). The following example will comply with the policy and add the account:

username myuser common-criteria-policy PassPolicy password Th3G00dP@ssw0rd

But this only works if you're using Level 7 easily crackable passwords. In my environment, we use the username 'secret' keyword for stronger encryption. I've found that this ignores the password policy and will add the username any way regardless of the password you use. For example:

username myuser common-criteria-policy PassPolicy secret mypassword

The switch will ignore your policy and add the account any way. So basically, if you want to enforce a password policy on a Cisco switch, you have to sacrifice your stronger password encryption to do it!

Would love to see Cisco resolve this. Many compliance auditors are wanting to see password enforcements on switches nowadays, along with strong password encryption. If anyone knows a workaround or solution to this (other than using a TACACS+ or RADIUS server), please share. Thanks!

Everyone's tags (5)
CreatePlease to create content