AAA password security
for FIPS compliance consists of these policies:
Passwords can be
composed by any combination of upper and lower case alphabets, numbers and
special characters that include: "!", "@", "#", "$", "%", "^", "&", "*",
"(", and ")". Security administrator can also set the types and number of
required characters that comprise the password, thereby providing more
flexibility for password composition rules. The minimum number of character
change required between passwords is 4, by default. There is no restriction on
the upper limit of the number of uppercase, lowercase, numeric and special
can set the minimum and maximum length of the password. The minimum
configurable length in password policy is 2, and the maximum length is 253.
can configure a maximum lifetime for the password, the value of which can be
specified in years, months, days, hours, minutes and seconds. The configured
password never expires if this parameter is not configured. The configuration
remains intact even after a system reload. But, the password creation time is
updated to the new time whenever the system reboots. For example, if a password
is configured with a life time of one month, and if the system reboots on
29th day, then the
password is valid for one more month after the system reboot. Once the
configured lifetime expires, further action is taken based on the password
expiry policy (see the section on Password Expiry Policy).
If the password
credential of a user who is trying to login is already expired, then the
following actions occur:
prompted to set the new password after successfully entering the expired
The new password
is validated against the password security policy.
If the new
password matches the password security policy, then the AAA data base is
updated and authentication is done with the new password.
If the new
password is not compliant with the password security policy, then the attempt
is considered as an authentication failure and the user is prompted again to
enter a new password. The max limit for such attempts is in the control of
login clients and AAA does not have any restrictions for that.
As part of password
expiry policy, if the life time is not yet configured for a user who has
already logged in, and if the security administrator configures the life time
for the same user, then the life time is set in the database. The system checks
for password expiry on the subsequent authentication of the same user.
Password expiry is
checked only during the authentication phase. If the password expires after the
user is authenticated and logged in to the system, then no action is taken. The
user is prompted to change the password only during the next authentication of
the same user.
Debug logs and
syslog are printed for the user password expiry only when the user attempts to
login. This is a sample syslog in the case of password expiry:
RP/0/RSP1/CPU0:Jun 21 09:13:34.241 : locald_DSC: %SECURITY-LOCALD-5-USER_PASSWD_EXPIRED :
Password for user 'user12' has expired.
Users cannot change
passwords at will. A password change is triggered in these scenarios:
security administrator needs to change the password
When the user
is trying to get authenticated using a profile and the password for the profile
security administrator modifies the password policy which is associated to the
user, and does not immediately change the password according to the policy
You can use the
failed command to display the error messages when the password
entered does not comply with the password policy configurations.
When the security
administrator changes the password security policy, and if the existing profile
does not meet the password security policy rules, no action is taken if the
user has already logged in to the system. In this scenario, the user is
prompted to change the password when he tries to get authenticated using the
profile which does not meet the password security rules.
When the user is
changing the password, the lifetime of the new password remains same as that of
the lifetime that was set by the security administrator for the old profile.
expires for non-interactive clients (such as dot1x), an appropriate error
message is sent to the clients. Clients must contact the security administrator
to renew the password in such scenarios.
Provision after Authentication
The basic AAA local
authentication feature ensures that no service is performed before a user is
A user is
re-authenticated when he changes the password. When a user changes his password
on expiry, he is authenticated with the new password. In this case, the actual
authentication happens based on the previous credential, and the new password
is updated in the database.
Authentication Lockout Policy
AAA provides a
authen-max-attempts, to restrict users who try to
authenticate using invalid login credentials. This option sets the maximum
number of permissible authentication failure attempts for a user. The user gets
locked out when he exceeds this maximum limit, until the lockout timer ( lockout-time) is expired. If the user attempts to
login in spite of being locked out, the lockout expiry time keep advancing
forward from the time login was last attempted.
This is a sample syslog when user is locked out:
RP/0/RSP1/CPU0:Jun 21 09:21:28.226 : locald_DSC: %SECURITY-LOCALD-5-USER_PASSWD_LOCKED :
User 'user12’ is temporarily locked out for exceeding maximum unsuccessful logins.
This is a sample syslog when user is unlocked for authentication:
RP/0/RSP1/CPU0:Jun 21 09:14:24.633 : locald_DSC: %SECURITY-LOCALD-5-USER_PASSWD_UNLOCKED :
User 'user12' is unlocked for authentications.
Creation, Modification and Deletion
administrators having write permission for AAA tasks are allowed to create
password policy. Modification is allowed at any point of time, even when the
policy is associated to a user. Deletion of password policy is not allowed
until the policy is un-configured from the user.
modification of password policy associated with a user, security administrator
can decide if he wants to change passwords of associated users complying to the
password policy. Based on this, there are two scenarios:
administrator configures the password, then the user is not prompted to change
the password on next login.
administrator does not configure the password, then the user is prompted to
change the password on next login.
In either of the
above cases, at every password expiry interval, the user is prompted to change
the password on next login.
Debug messages are
printed when password policies are created, modified and deleted.