AAA Minimum Password Length Policy on Switch IOS 15.0 Only Works with Level 7 Passwords
I've been trying to configure a minimum password length policy on a 2960 switch running 15.0(2)SE2. The command "security passwords min-length x" that is so often offered as a solution for IOS switches and routers does not exist in 15.0SE for switches. The only thing I've found is the following document that explains how to create a password policy using the AAA "Common Criteria" configuration. This apparently is only a supported feature on IOS 15.0(2)SE and 15.1(1)SY. Pretty limited.
Per the above link, I created the following configuration that forces a minimum password length of six characters (max of 64), requiring a combination of at least 1 upper, 1 lower, 1 special-character, and 1 number.
aaa authentication login default local
aaa common-criteria policy PassPolicy
The next step is to apply the policy to a user account with the following:
In the above example, the password 'mypassword' fails because it does not meet the policy 'PassPolicy', which is good. The only way you can tell that it fails is the new user account doesn't show up in the config). The following example will comply with the policy and add the account:
But this only works if you're using Level 7 easily crackable passwords. In my environment, we use the username 'secret' keyword for stronger encryption. I've found that this ignores the password policy and will add the username any way regardless of the password you use. For example:
The switch will ignore your policy and add the account any way. So basically, if you want to enforce a password policy on a Cisco switch, you have to sacrifice your stronger password encryption to do it!
Would love to see Cisco resolve this. Many compliance auditors are wanting to see password enforcements on switches nowadays, along with strong password encryption. If anyone knows a workaround or solution to this (other than using a TACACS+ or RADIUS server), please share. Thanks!
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...