AAA password security for FIPS compliance consists of these policies:
Password Composition Policy
Passwords can be composed by any combination of upper and lower case alphabets, numbers and special characters that include:
"!", "@", "#", "$", "%", "^", "&", "*", "(", and ")". Security administrator can also set the types and number of required
characters that comprise the password, thereby providing more flexibility for password composition rules. The minimum number
of character change required between passwords is 4, by default. There is no restriction on the upper limit of the number
of uppercase, lowercase, numeric and special characters.
Password Length Policy
The administrator can set the minimum and maximum length of the password. The minimum configurable length in password policy
is 2, and the maximum length is 253.
Password Lifetime Policy
The administrator can configure a maximum lifetime for the password, the value of which can be specified in years, months,
days, hours, minutes and seconds. The configured password never expires if this parameter is not configured. The configuration
remains intact even after a system reload. But, the password creation time is updated to the new time whenever the system
reboots. For example, if a password is configured with a life time of one month, and if the system reboots on 29th day, then the password is valid for one more month after the system reboot. Once the configured lifetime expires, further
action is taken based on the password expiry policy (see the section on Password Expiry Policy).
Password Expiry Policy
If the password credential of a user who is trying to login is already expired, then the following actions occur:
User is prompted to set the new password after successfully entering the expired password.
The new password is validated against the password security policy.
If the new password matches the password security policy, then the AAA data base is updated and authentication is done with
the new password.
If the new password is not compliant with the password security policy, then the attempt is considered as an authentication
failure and the user is prompted again to enter a new password. The max limit for such attempts is in the control of login
clients and AAA does not have any restrictions for that.
As part of password expiry policy, if the life time is not yet configured for a user who has already logged in, and if the
security administrator configures the life time for the same user, then the life time is set in the database. The system checks
for password expiry on the subsequent authentication of the same user.
Password expiry is checked only during the authentication phase. If the password expires after the user is authenticated and
logged in to the system, then no action is taken. The user is prompted to change the password only during the next authentication
of the same user.
Debug logs and syslog are printed for the user password expiry only when the user attempts to login. This is a sample syslog
in the case of password expiry:
RP/0/RSP1/CPU0:Jun 21 09:13:34.241 : locald_DSC: %SECURITY-LOCALD-5-USER_PASSWD_EXPIRED :
Password for user 'user12' has expired.
Password Change Policy
Users cannot change passwords at will. A password change is triggered in these scenarios:
When the security administrator needs to change the password
When the user is trying to get authenticated using a profile and the password for the profile is expired
When the security administrator modifies the password policy which is associated to the user, and does not immediately change
the password according to the policy
You can use the show configuration failed command to display the error messages when the password entered does not comply with the password policy configurations.
When the security administrator changes the password security policy, and if the existing profile does not meet the password
security policy rules, no action is taken if the user has already logged in to the system. In this scenario, the user is prompted
to change the password when he tries to get authenticated using the profile which does not meet the password security rules.
When the user is changing the password, the lifetime of the new password remains same as that of the lifetime that was set
by the security administrator for the old profile.
When password expires for non-interactive clients (such as dot1x), an appropriate error message is sent to the clients. Clients
must contact the security administrator to renew the password in such scenarios.
Service Provision after Authentication
The basic AAA local authentication feature ensures that no service is performed before a user is authenticated.
User Re-authentication Policy
A user is re-authenticated when he changes the password. When a user changes his password on expiry, he is authenticated with
the new password. In this case, the actual authentication happens based on the previous credential, and the new password is
updated in the database.
User Authentication Lockout Policy
AAA provides a configuration option, authen-max-attempts , to restrict users who try to authenticate using invalid login credentials. This option sets the maximum number of permissible
authentication failure attempts for a user. The user gets locked out when he exceeds this maximum limit, until the lockout
timer ( lockout-time ) is expired. If the user attempts to login in spite of being locked out, the lockout expiry time keep advancing forward from
the time login was last attempted.
This is a sample syslog when user is locked out:
RP/0/RSP1/CPU0:Jun 21 09:21:28.226 : locald_DSC: %SECURITY-LOCALD-5-USER_PASSWD_LOCKED :
User 'user12’ is temporarily locked out for exceeding maximum unsuccessful logins.
This is a sample syslog when user is unlocked for authentication:
RP/0/RSP1/CPU0:Jun 21 09:14:24.633 : locald_DSC: %SECURITY-LOCALD-5-USER_PASSWD_UNLOCKED :
User 'user12' is unlocked for authentications.
Password Policy Creation, Modification and Deletion
Security administrators having write permission for AAA tasks are allowed to create password policy. Modification is allowed
at any point of time, even when the policy is associated to a user. Deletion of password policy is not allowed until the policy
is un-configured from the user.
After the modification of password policy associated with a user, security administrator can decide if he wants to change
passwords of associated users complying to the password policy. Based on this, there are two scenarios:
If the administrator configures the password, then the user is not prompted to change the password on next login.
If the administrator does not configure the password, then the user is prompted to change the password on next login.
In either of the above cases, at every password expiry interval, the user is prompted to change the password on next login.
Debug messages are printed when password policies are created, modified and deleted.