max-password-age
The maximum age for a user password for OcNOS is 60 days.The password policy setting describes how long users can use their password before it expires. This helps the users periodically change their passwords. When a user’s password is updated, the expiry is set according to the user’s role. This can be modified or updated per user. Once the expiry is set at the user level, the system will check for user-level expiry.
When a user logs in and cmlsh is invoked for the admin user, the admin user is prompted to change the password. A non- admin receives a message to contact the admin to update the password. If the user password has e xpired and it is not updated within the next 30 days, the user account removed from the database.
All these features are enabled and disabled entirely with a CLI. When disabled, /etc/pam.d/common-password should be updated not to use both pam_pwquality and pam_pwhistory modules.
Configuration
The below configurations allow the user to authenticate the maximum password age.
OcNOS Device
| 1. | Enable the aaa local authentication password-policy |
OcNOS#configure terminal
OcNOS(config)#aaa local authentication password-policy
OcNOS(config)#commit| 2. | Configure the aaa local authentication password expire for user and role |
OcNOS(config)#aaa local authentication expire 40 role network-admin
OcNOS(config)#aaa local authentication expire 45 role network-engineer
OcNOS(config)#aaa local authentication expire 35 role network-operator
OcNOS(config)#aaa local authentication expire 50 role network-user
OcNOS(config)#aaa local authentication expire 50 user Test1
OcNOS(config)#commitThe password will not expire, if we select the number of days as 0.
Validation 1
Before enabling the local authentication password-policy.
#show aaa authentication password-policy
Password policy parameter:
Minimum number of digit: 1
Minimum number of uppercase character: 1
Minimum number of lowercase character: 1
Minimum number of special character: 1
Allowed the number of monotonic character sequences: 5
Username check: Enabled
Allowed the number of same consecutive characters: 1
Minimum length of password: 8
Number of remembered passwords: 5
network-admin expiration days: Disabled
network-engineer expiration days: Disabled
network-operator expiration days: Disabled
network-user expiration days: DisabledAfter enable the local authentication password-policy.
By default, password expire is enable as well
#show aaa authentication password-policy
Password policy parameter:
Password policy feature: Enabled
Minimum number of digit: 1
Minimum number of uppercase character: 1
Minimum number of lowercase character: 1
Minimum number of special character: 1
Allowed the number of monotonic character sequences: 5
Username check: Enabled
Allowed the number of same consecutive characters: 1
Minimum length of password: 8
Number of remembered passwords: 5
network-admin expiration days: 30
network-engineer expiration days: 60
network-operator expiration days: 60
network-user expiration days: 60After configuring the password expire for role and user.
#show aaa authentication password-policy
Password policy parameter:
Password policy feature: Enabled
Minimum number of digit: 1
Minimum number of uppercase character: 1
Minimum number of lowercase character: 1
Minimum number of special character: 1
Allowed the number of monotonic character sequences: 5
Username check: Enabled
Allowed the number of same consecutive characters: 1
Minimum length of password: 8
Number of remembered passwords: 5
network-admin expiration days: 40
network-engineer expiration days: 45
network-operator expiration days: 35
network-user expiration days: 50
Test1: will expire in 50 days!!!