How To Set Password On Cisco Switch 2960
Countersign Force and Management for Common Criteria
The Password Strength and Direction for Common Criteria characteristic is used to specify password policies and security mechanisms for storing, retrieving, and providing rules to specify user passwords.
For local users, the user profile and the password information with the key parameters are stored on the Cisco device, and this contour is used for local authentication of users. The user tin can be an administrator (terminal access) or a network user (for instance, PPP users being authenticated for network access).
For remote users, where the user contour information is stored in a remote server, a third-political party hallmark, authorization, and accounting (AAA) server may be used for providing AAA services, both for administrative and network admission.
Restrictions for Password Strength and Management for Common Criteria
But iv concurrent users tin log on to the arrangement by using vty at whatever moment.
Information Nigh Password Strength and Management for Common Criteria
Password Composition Policy
The countersign composition policy allows you to create passwords of any combination of upper and lowercase characters, numbers, and special characters that include "!", "@", "#", "$", "%","^", "&", "*", "(", and ")".
Countersign Length Policy
The administrator has the flexibility to set the countersign's minimum and maximum length. The recommended minimum countersign length is viii characters. The administrator can specify both the minimum (1) and the maximum (64) length for the password.
Password Lifetime Policy
The security administrator can provide a configurable choice for a countersign to have a maximum lifetime. If the lifetime parameter is not configured, the configured password will never expire. The maximum lifetime can exist configured by providing the configurable value in years, months, days, hours, minutes, and seconds. The lifetime configuration will survive across reloads as it is a part of the configuration, but every time the system reboots, the password creation fourth dimension will be updated to the new time. For case, if a countersign is configured with a lifetime of i month and on the 29th day, the organisation reboots, then the countersign volition be valid for one month later the system reboots.
Password Death Policy
If the user attempts to log on and if the user's countersign credentials have expired, and so the following happens:
-
The user is prompted to fix the new password after successfully entering the expired password.
-
When the user enters the new password, the password is validated against the countersign security policy.
-
If the new password matches the password security policy, then the AAA database is updated, and the user is authenticated with the new password.
-
If the new password does not match the password security policy, then the user is prompted over again for the password. From AAA perspective, in that location is no brake on the number of retries. The number of retries for countersign prompt in instance of unsuccessful authentication is controlled past the respective final access interactive module. For example, for telnet, subsequently three unsuccessful attempts, the session will be terminated.
If the countersign's lifetime is not configured for a user and the user has already logged on and if the security administrator configures the lifetime for that user, and so the lifetime volition exist set in the database. When the same user is authenticated the adjacent fourth dimension, the system will cheque for countersign death. The countersign expiry is checked only during the authentication phase.
If the user has been already authenticated and logged on to the system and if the password expires, so no action volition exist taken. The user will be prompted to modify the password only during the next hallmark for the aforementioned user.
Password Change Policy
The new password must incorporate a minimum of 4 character changes from the previous password. A password change tin can be triggered past the following scenarios:
-
The security ambassador wants to change the password.
-
The user is trying to get authenticated using a profile, and the password for that profile has expired.
When the security administrator changes the countersign security policy and the existing profile does non run into the password security policy rules, no activity will be taken if the user has already logged on to the system. The user volition be prompted to change the password only when the user tries to get authenticated using the profile that does not meet the password security restriction.
When the user changes the countersign, the lifetime parameters fix by the security administrator for the old profile volition be the lifetime parameters for the new password.
For noninteractive clients such as dot1x, when the password expires, appropriate error messages volition be sent to the clients, and the clients must contact the security administrator to renew the password.
User Reauthentication Policy
Users are reauthenticated when they change their passwords.
When users change their passwords on death, they will exist authenticated against the new password. In such cases, the bodily authentication happens based on the previous credentials, and the new countersign is updated in the database.
 Notation | Users can alter their passwords only when they are logging on and afterward the expiry of the old password; however, a security administrator can alter the user'due south countersign at any time. |
Support for Framed (noninteractive) Session
When a client such as dot1x uses the local database for authentication, the Countersign Strength and Management for Common Criteria characteristic volition be applicable; however, upon password expiry, clients volition non be able to change the countersign. An appropriate failure message will exist sent to such clients, and the user must request the security administrator to modify the password.
How to Configure Password Strength and Management for Mutual Criteria
Configuring the Countersign Security Policy
Perform this task to create a password security policy and to apply the policy to a specific user profile.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step i | enable Example: | Enables privileged EXEC fashion.
|
| Step ii | configure terminal Example: | Enters global configuration style. |
| Step 3 | aaa new-model Example: | Enables AAA globally. |
| Step 4 | aaa common-criteria policy policy-name Example: | Creates the AAA security password policy and enters common criteria configuration policy way. |
| Step 5 | char-changes number Example: | (Optional) Specifies the number of changed characters between onetime and new passwords. |
| Step six | max-length number Example: | (Optional) Specifies the maximum length of the password. |
| Step 7 | min-length number Example: | (Optional) Specifies the minimum length of the password. |
| Step eight | numeric-count number Example: | (Optional) Specifies the number of numeric characters in the countersign. |
| Pace 9 | special-case number Example: | (Optional) Specifies the number of special characters in the countersign. |
| Footstep x | exit Example: | (Optional) Exits common criteria configuration policy mode and returns to global configuration mode. |
| Step xi | username username mutual-criteria-policy policy-name countersign password Case: | (Optional) Applies a specific policy and countersign to a user profile. |
| Step 12 | end Case: | Returns to privileged EXEC mode. |
Verifying the Mutual Criteria Policy
Perform this task to verify all the common criteria security policies.
Procedure
| Pace 1 | enable Enables privileged EXEC mode. Example: |
| Step 2 | bear witness aaa mutual-criteria policy name policy-name Displays the countersign security policy data for a specific policy. Case: |
| Step 3 | show aaa common-criteria policy all Displays countersign security policy information for all the configured policies. Example: |
Configuration Examples for Password Strength and Management for Mutual Criteria
Instance: Password Forcefulness and Management for Mutual Criteria
The post-obit example shows how to create a mutual criteria security policy and apply the specific policy to a user contour:
Device> enable Device# configure final Device(config)# aaa new-model Device(config)# aaa common-criteria policy policy1 Device(config-cc-policy)# char-changes 4 Device(config-cc-policy)# max-length 20 Device(config-cc-policy)# min-length 6 Device(config-cc-policy)# numeric-count 2 Device(config-cc-policy)# special-case 2 Device(config-cc-policy)# exit Device(config)# username user1 common-criteria-policy policy1 password password1 Device(config)# end Additional References for Password Strength and Management for Common Criteria
The following sections provide references related to the RADIUS Packet of Disconnect feature.
RFCs
| RFC | Title |
|---|---|
| RFC 2865 | Remote Authentication Punch-in User Service |
| RFC 3576 | Dynamic Potency Extensions to RADIUS |
Technical Assistance
| Description | Link |
|---|---|
| The Cisco Support website provides extensive online resource, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical data virtually your products, you can subscribe to various services, such as the Product Alarm Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Admission to most tools on the Cisco Back up website requires a Cisco.com user ID and password. | http://www.cisco.com/techsupport |
Characteristic Information for Password Strength and Direction for Common Criteria
The following table provides release information about the feature or features described in this module. This tabular array lists just the software release that introduced back up for a given feature in a given software release railroad train. Unless noted otherwise, subsequent releases of that software release train likewise support that feature.
Apply Cisco Feature Navigator to discover information about platform back up and Cisco software epitome support. To access Cisco Characteristic Navigator, go to world wide web.cisco.com/get/cfn. An account on Cisco.com is not required.| Characteristic Name | Releases | Characteristic Information |
|---|---|---|
| Password Strength and Management for Common Criteria | Cisco IOS fifteen.0(2)SE Cisco IOS 15.ii(1)East | The Password Strength and Management for Common Criteria characteristic is used to specify countersign policies and security mechanisms for storing, retrieving, and providing rules to specify user passwords. The following commands were introduced or modified: aaa common-criteria policy , debug aaa mutual-criteria , and show aaa common-criteria policy . |
Source: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960l/software/15-2_5_e/config-guide/b_1525e_consolidated_2960l_cg/b_1525e_consolidated_2960l_cg_chapter_0101010.html
0 Response to "How To Set Password On Cisco Switch 2960"
Post a Comment