1.8.3 Configure a Password Policy

Information

Because passwords are stored only in revertible type 7 format, please consider not applying this recommendation and using secrets instead.

This only applies if you absolutely need to configure "password" instead of "secret" for local users.

Cisco IOS XR Software introduces advanced AAA password strengthening policy and security mechanism to store, retrieve and provide rules or policy to specify user passwords. This password policy is applicable only for local users, and not for remote users whose profile information are stored in a third party AAA server.

Strong passwords are important because they help prevent unauthorized access to devices and the network.Even if a central authentication source is used, if that service is not available the fall-back authentication is often to local credentials. At least one local administrator user must be present on the device.

Solution

Use the following configuration to enable a password policy. Choose values according to established guidelines of your organization.

IOSXR# configure
IOSXR(config)#aaa password-policy {password_policy}
IOSXR(config-aaa)#min-length 8
IOSXR(config-aaa)#max-length 25
IOSXR(config-aaa)#lifetime months 3
IOSXR(config-aaa)#min-char-change 5
IOSXR(config-aaa)#authen-max-attempts 3
IOSXR(config-aaa)#lockout-time days 1
IOSXR(config)#username {local_username} password-policy {password_policy} password 0 {local_password}
IOSXR(config)#commit

Impact:

This policy is not applicable to secrets of the user. If both secret and password are configured for a user, then secret takes precedence, and password security policy does not have any effect on authentication or change of password for such users.

See Also

https://workbench.cisecurity.org/benchmarks/10473

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)

Plugin: Cisco

Control ID: 8dc61caae9e6a07da1225f80634eecdad2b225e025f33c3a82808da37efa5c6b