Implementing a Specific Management Password Policy

By default, the password for a new management user has no requirements other than a minimum length of 6 alphanumeric or special characters. However, if your company enforces a best practices password policy for management users with root access to network equipment, you may want to configure a password policy that sets requirements for management user passwords.

Defining a Management Password Policy

To define specific management password policy settings through the WebUI or the CLI, complete the following steps:

In the WebUI

1. Navigate to Configuration>All Profiles.
2. Expand Other Profiles.
3. Select Mgmt Password Policy.
4. Configure the settings described in Table 1.

Table 1: Management Password Policy Settings

Parameter

Description

Enable Password Policy

Select this checkbox to enable the password management policy. The password policy will not be enforced until this checkbox is selected.

Minimum password length required

The minimum number of characters required for a management user password

Range: 6-64 characters. Default: 6.

Minimum number of Upper Case characters

The minimum number of uppercase characters required in a management user password.

Range: 0-10 characters. By default, there is no requirement for uppercase letters in a password, and the parameter has a default value of 0.

Minimum number of Lower Case characters

The minimum number of lowercase characters required in a management user password.

Range: 0-10 characters. By default, there is no requirement for lowercase letters in a password, and the parameter has a default value of 0.

Minimum number of Digits

The minimum number of numeric digits required in a management user password.

Range: 0-10 digits. By default, there is no requirement for numerical digits in a password, and the parameter has a default value of 0.

Minimum number of Special characters (!, @, #, $, %, ^, &, *, <, >, {, }, [, ], :, ., comma, |, +, ~, `)

The minimum number of special characters.

Range: 0-10 characters.

Username or Reverse of username NOT in Password

When you select this checkbox, the password cannot be the management users’ current username or the username spelled backwards.

Maximum consecutive character repeats

The maximum number of consecutive repeating characters allowed in a management user password.

Range: 0-10 characters. By default, there is no limitation on the numbers of character that can repeat within a password, and the parameter has a default value of 0 characters.

Maximum Number of failed attempts in 3 minute window to lockout user

The number of failed attempts within a 3 minute window that causes the user to be locked out for the period of time specified by the Time duration to lockout the user upon crossing the "lock-out" threshold parameter.

Range: 0-10 attempts. By default, the password lockout feature is disabled, and the default value of this parameter is 0 attempts.

Time duration to lock out the user upon crossing the "lock-out" threshold

The duration in time that locks out the user upon crossing the lock out threshold.

Range: 0-60 in minutes.

5. Click Apply to save your settings.

In the CLI

aaa password-policy mgmt

enable

no

password-lock-out

password-lock-out-time

password-max-character-repeat.

password-min-digit

password-min-length

password-min-lowercase-characters

password-min-special-character

password-min-uppercase-characters

password-not-username

Management Authentication Profile Parameters

Table 2 describes configuration parameters on the Management Authentication profile page.

 

In the CLI, you configure these options with the aaa authentication mgmt and aaa-server-group commands.

 

Table 2: Management Authentication Profile Parameters

Parameter

Description

Enable

Enables authentication for administrative users.

Default Role

Select a predefined management role to assign to authenticated administrative users:

Root

Default superuser role

guest-provisioning

Guest provisioning role

location-api-mgmt

Location API role

network-operations

Network operations role

no-access

No commands are accessible for this role

read-only

Read-only role

no access

Negates any configured parameter.

Server Group

Name of the group of servers used to authenticate administrative users. See the CLI command aaa-server-group, in the CLI Command Reference Guide for more information.