How does the user password aging work on ICX devices after the 180 days o more?

  • 1
  • Question
  • Updated 4 months ago
  • Answered
Hi everyone!

I would like to know how the user password aging works. I read the security config guide for the  firmware version 08070 (that is the code that I have in the switches). It says when the user aging is enable, the CLI will automatically prompt users to change their passwords when they attempt to sign on. So, if after 180 days I try to log in to the switch, do I have to put my old password and then the CLI ask for a new one? Can I change the period of time of 180 days?

Also, is there a way to sync this password update if I have multiple switches with user password aging enabled? I mean, Can I only change or update in one switch and this change will be sync in the others?

I hope someone can help me.

Regards.
Photo of JLES

JLES

  • 4 Posts
  • 0 Reply Likes
  • Confident

Posted 5 months ago

  • 1
Photo of Hashim Bharoocha

Hashim Bharoocha, Employee

  • 59 Posts
  • 35 Reply Likes

Hi JLES,

This is from the security guide:

Enabling user password aging

For enhanced security, password aging enforces quarterly updates of all user passwords. After 180 days, the CLI will automatically prompt users to change their passwords when they attempt to sign on.

When password aging is enabled, the software records the system time that each user password was configured or last changed.

The time displays in the output of the show running configuration command, indicated by set-time.

device# show run

Current configuration:

....

username waldo password .....

username raveen set-time 2086038248

....

The password aging feature uses the NTP server clock to record the set-time. If the network does not have an NTP server, then set-time will appear as "set-time 0" in the output of the show running configuration command.

A username set-time configuration is removed when:

The username and password are deleted from the configuration

The username password expires

When a username set-time configuration is removed, it no longer appears in the show running configuration output.

Note that if a username does not have an assigned password, the username will not have a set-time configuration.

Password aging is disabled by default. To enable it, enter the following command at the global configuration level of the CLI.

device(config)#enable user password-aging

Syntax: [no] enable user password-aging

Configuring password history

By default, the Ruckus device stores the last five user passwords for each user. When changing a user password, the user cannot

use any of the five previously configured passwords.

For security purposes, you can configure the Ruckus device to store up to 15 passwords for each user, so that users do not use the same password multiple times. If a user attempts to use a stored password, the system will prompt the user to choose a different password.

To configure enhanced password history, enter a command such as the following at the global configuration level of the CLI.

device(config)# enable user password-history 15


Hope this helps.

Thanks

Hashim


Photo of JLES

JLES

  • 4 Posts
  • 0 Reply Likes
Hi Hashim!!

thank you for your response, it is very helpful! After the 180 days, do you still need the old password to log in and then the switch ask for the new one? just to know the behavior of this feature.

Thank you!
Photo of Hashim Bharoocha

Hashim Bharoocha, Employee

  • 59 Posts
  • 35 Reply Likes
Hi JLES,

Again from the Security Guide:

Configuring password history

By default, the Ruckus device stores the last five user passwords for each user. When changing a user password, the user cannot

use any of the five previously configured passwords.

For security purposes, you can configure the Ruckus device to store up to 15 passwords for each user, so that users do not use

the same password multiple times. If a user attempts to use a stored password, the system will prompt the user to choose a

different password.

To configure enhanced password history, enter a command such as the following at the global configuration level of the CLI.

device(config)# enable user password-history 15

Syntax: [no] enable user password-history previous-passwords

The previous-passwords variable is a value from 1 through 15. The default is 5.


Hope this helps

Thanks

Hashim


Photo of JLES

JLES

  • 4 Posts
  • 0 Reply Likes
Hi Hashim

I go it!!

Thank you so much for your help.

Juan
Photo of Hashim Bharoocha

Hashim Bharoocha, Employee

  • 59 Posts
  • 35 Reply Likes
Glad to help out.
Most Welcome Juan!!!

The Pleasure is Mine.