ExtremeSwitching (ERS)

 View Only

 ERS4850 password aging with password security disabled

Mario Cwikla's profile image
Mario Cwikla posted 05-06-2022 12:12

Answering the question at the bottom of this post will be greatly appreciated :)

Scenario:
- ERS 4850GTS-PWR+ - upgrading from 5.8.3 to 5.12.007s
- Password Security was disabled on 5.8.3
- Password Security remains disabled on 5.12.7
[#show password security #Password security is disabled]
!
!
!
Current output
#show run mod aaa
! Embedded ASCII Configuration Generator Script
! Model = Ethernet Routing Switch 4850GTS-PWR+
! Software version = v5.12.6.007
!
! Displaying only parameters different to default
!================================================
enable
configure terminal
!
! *** AAA ***
!
password aging-time 90
password password-history 3
password complexity lower-case 2
password complexity numeric 2
password complexity special 2
password complexity upper-case 2
password min-length 10
password notifications 30


#show username

Lockout timeout: 1 min
Lockout retries: 3

Username: RW
-------------------------------------------
Role name: RW
Enabled: Yes
Password aging-time: 90 days
Lockout status: Available
Inactive period: 90 days
SSH access: Enabled
TELNET access: Enabled

Username: RO
-------------------------------------------
Role name: RO
Enabled: Yes
Password aging-time: 90 days
Lockout status: Available
Inactive period: 90 days
SSH access: Enabled
TELNET access: Enabled

Username: admin
-------------------------------------------
Role name: RW
Enabled: Yes
Password aging-time: 90 days
Lockout status: Available
Inactive period: 90 days
SSH access: Enabled
TELNET access: Enabled

**********************************************************
**********************************************************
**********************************************************


Question:

With <password security disable> globally, is it still necessary to make the changes listed below to avoid any password aging/inactive issues after 90 days?
!
(config)#password aging-time 0
(config)#username <RO, RW and admin> inactive-period 0
(config)#password aging-time username <RO, RW and admin> 0
!
!
In other words, are aging/inactive password parameters irrelevant (not applicable) if <password security> is disabled?


Again, you input will be greatly appreciated
Todd Hancock's profile image
Todd Hancock


V5.10 added new configurable settings to the password security feature and also updated the aging and lockout policies. Former unconfigurable password security settings were carried over and may not match the new default values - so you will now see them in the non-verbose config. From my experience the password aging and lockout policies are not part of password security (but I could be wrong). After the upgrade, aging and lockout features are also set to non-default values. From the manual:


We would normally run a script after the upgrade to set the aging and lockout to the new default values, and since we were there update the new password security options just so they don't show up in the config.

default username lockout-retries
default username lockout-time
default password aging-time
default password password-history
default password complexity
default password min-length
default password notifications
password aging-time username RW 0
password aging-time username RO 0
username RW inactive-period 0
username RO inactive-period 0