Table 1. Feature History
|
Feature Name
|
Release Information
|
Description
|
|
AAA Password Security Policies
|
Cisco IOS XR Release 6.5.33
|
This feature introduces strong password security policies to strengthen the secret and password configuration of usernames.
These policies also have the option of blocking a local user from accessing the router for a configurable amount of time if
the maximum number of attempts to login to the device is reached. The feature thus enhances router security by enforcing strong
user password policies.
Commands added:
|
The AAA password security policies enhance the secret configuration for the username. Currently, the password configuration
in the username is supported. From the Cisco IOS-XR Release 6.5.33, the secret password policies are supported. This password
policy is applicable only to local users.
AAA Password Securities have the following policies:
Lockout Policy
AAA provides a configuration option to restrict the users who try to authenticate using invalid login credentials. This option
sets the maximum number of permissible authentication failure attempts for a user. The user who exceeds the maximum limit
gets locked out until the configurable lockout timer is expired.
The following sample configuration specifies the maximum number of unsuccessful attempts before a user is locked out.
RP/0/RP1:tb6#sh run aaa password-policy pol44
aaa password-policy pol44
lockout-time days 1
authen-max-attempts 10
!
RP/0/RP1:tb6#
The following is a sample syslog when a user is locked out:
RP/0/RSP1/CPU0:Jun 21 09:21:28.226 : locald_DSC[308]: %SECURITY-LOCALD-5-USER_PASSWD_LOCKED : User 'user12’ is temporarily locked out for exceeding maximum unsuccessful logins.
This is a sample syslog when user is unlocked for authentication:
RP/0/RSP1/CPU0:Jun 21 09:14:24.633 : locald_DSC[308]: %SECURITY-LOCALD-5-USER_PASSWD_UNLOCKED : User 'user12' is unlocked for authentications.
Lifetime Policy
The administrator can configure the maximum lifetime for the password and secret, and if this parameter isn’t set, then the
password never expires.
For example, if a password has a lifetime of one month and the machine reboots on the 29th day, the password and secret is
valid for one month after the reboot.
RP/0/RP0:R3#sh run aaa password-policy pol1
aaa password-policy pol1
lifetime months 1
Reauthentication Policy
When a user attempts to log in and if the user secret credential has already expired, the user will be prompted to create
a new secret.
When a user alters the secret after its lifespan expiration, the user will be authenticated against the new secret.
The following is an example showing the UI at login.
User Access Verification
Username: lab2
Password:
%Password has expired and must be changed.
(Requirements: Uppercase 1, Lowercase 0, Special 0,
Numeric 0, Min-length 2, Max-length 253, Min-difference 2).
Special characters restricted to !@#$%&*^()
New Password:
Confirm Password:
Password changed successfully. Please login with new password.
Username: lab2
Password:
RP/0/RP0/CPU0:ios#
Secret Complexity Policy
Security administrators can configure password policies to increase the complexity of the secret configuration the device.
For example:
-
Adding a policy to make the secret, a combination of upper and lowercase letters, numbers, and special characters.
RP/0/RP0:R3#sh run aaa password-policy pol100
aaa password-policy pol100
numeric 3
upper-case 2
special-char 1
!
RP/0/RP0:R3#sh run username test_1
username test_1
policy pol100
secret 5 $1$7tcr$mwCCVeDXHIy.nhzpDUSMl.
-
Adding some more policies to strengthen the secret such as:
Feedback