Restrictions for Password Strength and Management for Common Criteria
Only four concurrent users can log on to the system by using vty at any moment.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Password Strength and Management for Common Criteria feature is used to specify password policies and security mechanisms for storing, retrieving, and providing rules to specify user passwords.
For local users, the user profile and the password information with the key parameters are stored on the Cisco device, and this profile is used for local authentication of users. The user can be an administrator (terminal access) or a network user (for example, PPP users being authenticated for network access).
For remote users, where the user profile information is stored in a remote server, a third-party authentication, authorization, and accounting (AAA) server may be used for providing AAA services, both for administrative and network access.
Only four concurrent users can log on to the system by using vty at any moment.
The following sections provide information on password strength and management.
The password composition policy allows you to create passwords of any combination of upper and lowercase characters, numbers, and special characters that include “!”, “@”, “#”, “$”, “%”,“^”, “&”, “*”, “(“, and “)”.
The administrator has the flexibility to set the password's minimum and maximum length. The recommended minimum password length is 8 characters. The administrator can specify both the minimum (1) and the maximum (64) length for the password.
The security administrator can provide a configurable option for a password to have a maximum lifetime. If the lifetime parameter is not configured, the configured password will never expire. The maximum lifetime can be configured by providing the configurable value in years, months, days, hours, minutes, and seconds. The lifetime configuration will survive across reloads as it is a part of the configuration, but every time the system reboots, the password creation time will be updated to the new time. For example, if a password is configured with a lifetime of one month and on the 29th day, the system reboots, then the password will be valid for one month after the system reboots.
If the user attempts to log on and if the user's password credentials have expired, then the following happens:
The user is prompted to set the new password after successfully entering the expired password.
When the user enters the new password, the password is validated against the password security policy.
If the new password matches the password security policy, then the authentication, authorization, and accounting (AAA) database is updated, and the user is authenticated with the new password.
If the new password does not match the password security policy, then the user is prompted again for the password. From AAA perspective, there is no restriction on the number of retries. The number of retries for password prompt in case of unsuccessful authentication is controlled by the respective terminal access interactive module. For example, for telnet, after three unsuccessful attempts, the session will be terminated.
If the password's lifetime is not configured for a user and the user has already logged on and if the security administrator configures the lifetime for that user, then the lifetime will be set in the database. When the same user is authenticated the next time, the system will check for password expiry. The password expiry is checked only during the authentication phase.
If the user has been already authenticated and logged on to the system and if the password expires, then no action will be taken. The user will be prompted to change the password only during the next authentication for the same user.
The new password must contain a minimum of 4 character changes from the previous password. A password change can be triggered by the following scenarios:
The security administrator wants to change the password.
The user is trying to get authenticated using a profile, and the password for that profile has expired.
When the security administrator changes the password security policy and the existing profile does not meet the password security policy rules, no action will be taken if the user has already logged on to the system. The user will be prompted to change the password only when the user tries to get authenticated using the profile that does not meet the password security restriction.
When the user changes the password, the lifetime parameters set by the security administrator for the old profile will be the lifetime parameters for the new password.
For noninteractive clients such as dot1x, when the password expires, appropriate error messages will be sent to the clients, and the clients must contact the security administrator to renew the password.
Users are reauthenticated when they change their passwords.
When users change their passwords on expiry, they will be authenticated against the new password. In such cases, the actual authentication happens based on the previous credentials, and the new password is updated in the database.
Note |
Users can change their passwords only when they are logging on and after the expiry of the old password; however, a security administrator can change the user's password at any time. |
When a client such as dot1x uses the local database for authentication, the Password Strength and Management for Common Criteria feature will be applicable; however, upon password expiry, clients will not be able to change the password. An appropriate failure message will be sent to such clients, and the user must request the security administrator to change the password.
The following sections provide information on configuring password strength and management.
To create a password security policy and to apply the policy to a specific user profile, perform this procedure.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password if prompted. |
||
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
||
Step 3 |
aaa new-model Example:
|
Enables AAA globally. |
||
Step 4 |
aaa common-criteria policy policy-name Example:
|
Creates the AAA security password policy and enters common criteria configuration policy mode. |
||
Step 5 |
char-changes number Example:
|
(Optional) Specifies the number of changed characters between old and new passwords. |
||
Step 6 |
max-length number Example:
|
(Optional) Specifies the maximum length of the password. |
||
Step 7 |
min-length number Example:
|
(Optional) Specifies the minimum length of the password. |
||
Step 8 |
numeric-count number Example:
|
(Optional) Specifies the number of numeric characters in the password. |
||
Step 9 |
special-case number Example:
|
(Optional) Specifies the number of special characters in the password. |
||
Step 10 |
exit Example:
|
(Optional) Exits common criteria configuration policy mode and returns to global configuration mode. |
||
Step 11 |
username username common-criteria-policy policy-name password password Example:
|
(Optional) Applies a specific policy and password to a user profile.
|
||
Step 12 |
end Example:
|
Returns to privileged EXEC mode. |
To verify all the common criteria security policies, perform this procedure.
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. |
Step 2 |
show aaa common-criteria policy name policy-name Example:
|
Displays the password security policy information for a specific policy. |
Step 3 |
show aaa common-criteria policy all Example:
|
Displays password security policy information for all the configured policies. |
The following section provides a configuration example for password strength and management for common criteria.
The following example shows how to create a common criteria security policy and apply the specific policy to a user profile:
Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa common-criteria policy policy1
Device(config-cc-policy)# char-changes 4
Device(config-cc-policy)# max-length 20
Device(config-cc-policy)# min-length 6
Device(config-cc-policy)# numeric-count 2
Device(config-cc-policy)# special-case 2
Device(config-cc-policy)# exit
Device(config)# username user1 common-criteria-policy policy1 password password1
Device(config)# end
Related Topic |
Document Title |
---|---|
For complete syntax and usage information for the commands used in this chapter. |
Consolidated Platform Command Reference, Cisco IOS Release 15.2(7)E (Catalyst 1000 Switches) |
RFC |
Title |
---|---|
RFC 2865 |
Remote Authentication Dial-in User Service |
RFC 3576 |
Dynamic Authorization Extensions to RADIUS |
This table provides release and related information for features explained in this module.
These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.
Release |
Feature |
Feature Information |
---|---|---|
Cisco IOS Release 15.2(7)E1 |
Password Strength and Management for Common Criteria |
The Password Strength and Management for Common Criteria feature is used to specify password policies and security mechanisms for storing, retrieving, and providing rules to specify user passwords. |
Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.