7

I was wondering if it's possible at all to configure a password policy which enforces password complexity for locally defined accounts. I know it's possible for TACACS+ and RADIUS, but I need to know if it's possible to enforce such policy for locally defined accounts.

The devices I have in scope are running IOS and NX-OS

Mike Pennington
  • 29,876
  • 11
  • 78
  • 152
Lucas Kauffman
  • 4,151
  • 5
  • 28
  • 51

1 Answers1

7

Regarding password complexity for local accounts, you have these options...

  • Cisco NX-OS: I'm not sure you can configure a local password policy in NX-OS; however, NX-OS rejects weak passwords by default. To disable this feature, use no password strength-checking in the global configuration.
  • Cisco IOS:
    • Password length: security password min-length. Admittedly, length is a fairly weak check itself, but IOS at least can detect / deny brute force attacks (see below).

There are a few things to remember...

  • Many older versions of Cisco IOS use a weak "Type 7" hash to protect passwords from shoulder-surfing; there are a billion tools like this on the internet to reverse those hashes. Type 7 hashes should not be considered secure and thus, archive configs in a directory with good permissions enforcement (i.e. your linux tftp directory probably isn't a good location, since most people change tftp file permissions to 777).

    • Ironically the weak "Type 7" algorithm looks secure to the uninitiated, and is enabled with a command called service password-encryption.
    • One should always use the secret keyword when possible in usernames: i.e. username joe secret 5 $1$pJz5$28CTViXggZmhjikYdDyls0. This is at least a decent md5 hash of the plaintext password. Newer IOS versions attempt to use a stronger algorithm, but failed before getting it right.
    • It's not a bad idea to audit local accounts to see whether you can upgrade them to use the secret keyword. In linux, it's as simple as grep ^username /path/to/your/configs/* | grep -v secret (making a note to myself to do this today at my $dayjob)
  • Newer versions of IOS have a feature to trap brute-force attacks against the router; an ACL is applied to the vty.
    • This command would automatically apply an acl to block the offending source IP address for 60 seconds if it had failed password checks 3 times in five minutes: login block-for 60 attempts 3 within 300
    • You can customize the access-list which is applied using login quiet-mode access-class [acl-name]; by default IOS applies an acl called sl_def_acl
Community
  • 1
Mike Pennington
  • 29,876
  • 11
  • 78
  • 152