Troubleshooting

Unable to enable Password Complexity

Symptom

Getting an error when trying to enable the Password Complexity feature.

Cause

The username must be unique on the switch when the Password Complexity feature is enabled.

Action

Select a unique username.

Unable to download the configuration file

Symptom

Getting an error message when trying to download the configuration file.

Cause

When the password complexity feature is enabled, the configuration file that you are downloading must have a unique username for each privilege.

Action

Edit the configuration file to make sure that the usernames are unique for each privilege.

Validation rules

Validation Error/Warning/Prompt

Fail updating the password if the old password entered is invalid.

The old password entered is invalid. Operation aborted.

Fail the password command when a given password string is not satisfying the password control requirement.

During authentication:

The password must include a minimum of two of these types: uppercase, lowercase, 0–9, and special characters.

During password change from CLI:

Password validation error: Password cannot be changed. It must have special characters, A-Z, a-z & 0-9.

Password Minimum length check.

During authentication:

Password minimum length check failed; operation aborted.

During password change from CLI:

Password validation error: Password minimum length check failed; operation aborted.

NULL password.

During authentication:

Blank password is not acceptable; operation aborted.

During password change from CLI:

Password validation error: Blank password is not acceptable; operation aborted.

Password contains username or the backwards form of the ID.

During authentication:

Password contains the username; operation aborted.

During password change from CLI:

Password validation error: Password contains the username.

Password validation error: Password contains reverse of associated username.

Fail the password command if given password contains three of the same characters used consecutively.

During authentication:

Password contains repetitive characters; operation aborted.

During password change from CLI:

Password validation error: Password contains repetitive characters; operation aborted.

Fail the password command if the given password does not differ from the previous password by at least four characters.

During authentication:

Password cannot be changed. It must differ from the previous by four characters.

During password change from CLI:

Password validation error: Password cannot be changed. It must differ from the previous by four characters.

Fail the password command if the given password is the same as that of a password configured within the password history period.

During authentication:

Password cannot be changed; the password entered was used previously.

During password change from CLI:

Password validation error: Password cannot be changed; the password entered was used previously.

Fail the password command if it is executed before the password update interval time.

Password command will fail with an error message: The minimum wait period for updating password is not expired. Operation aborted.

Password history clear command: clear password-history operator/manager/local group <name>

If the name does not exist, the following error message is displayed:

User:user1 does not exist.

Password minimum length should match the sum of the compositions ( Lowercase + upper case + special characters + numbers).

The minimum password length configured is %s less than the sum of password composition.

Operation aborted.

If user last login details display is disabled and the user executes the sh authentication last-login command

The last login details cannot be displayed. Command execution is currently disabled by executing password configuration command ’password configuration log-on-details’.

To enable the password configuration feature, the following should be configured:

  1. Minimum password length should be set to 8 or greater.

  2. Manager credentials should be configured.

  3. Web UI should be disabled.

The precedence in the error message is as follows:

  1. Password minimum length is < 8.

    The minimum password length configured is 8 less than the sum of password composition. Operation aborted.

  2. Manager is not configured:

    Manager credentials should be configured to enable the password configuration feature

  3. Web UI will ask for the following confirmation:

    “The password configuration feature cannot be enabled when the WebUI is enabled.

    Would you like to disable WebUI and REST protocol? [y/n]:”

When the Password Complexity feature is enabled and manager user is deleted from the system.

Manager account cannot be deleted when the password configuration feature is enabled.

WebUI and password configurations are mutually exclusive.

  1. WebUI cannot be enabled when the password configuration feature is enabled.

  2. The password configuration feature cannot be enabled when the WebUI is enabled.

When incorrect old password is entered during password change.

The old password is invalid.

While enabling the password configuration function:

switch# password configuration-control

The password configuration feature cannot be enabled when the WebUI is enabled.

Would you like to disable WebUI and REST protocol? [y/n]:y

Display messages

Validation Error/Warning/Prompt

First time log-on, the user is prompted for entering new password along with old password.

Please change the password to logon to the system.
Old password: ********
New password: ********
Re-enter the new password: ********

First time log-on, if the user fails to change the password the following error message is displayed.

The respective error message related to password validation will be displayed and the existing session termination message is displayed.

When the value of the alert before expiry is configured greater than the aging value.

Alert before expiry is greater than password aging value.

When the user is not configured on the switch.

Password configuration feature is enabled. Configure the password for the user ‘admin’ to get access.

When a password aging time is about to expire a warning message is displayed.

Password ages out in %d day(s).
Change it now [Y/Any key - No]?
              If yes, the user will be prompted:
              Old password: ********
              New password:   *************
              Re-enter the new password:  *************

If the new password configuration fails, then the error message will be prompted and the user will be provided the access:

Password cannot be changed. It must have special characters, A-Z, a-z & 0-9.
Your previous successful login (as manager) was on 1990-01-01 07:57:24
from the console
switch#

When a password aging time expires, and the password is still not updated with the user still within the configured login attempt and period the following warning message is displayed.

Password expired; %d login left in %d day(s).
Change it now [Y/Any key - No]?
              If yes, the user will be prompted:
              Old password: ********
              New password:   *************
              Re-enter the new password:  *************

If the new password configuration fails, then the error message will be prompted and the user will be provided the access:

Password cannot be changed. It must have special characters, A-Z, a-z & 0-9.
Your previous successful login (as manager) was on 1990-01-01 07:57:24
 from the console
switch#

When a password aging time expires and all the additional login attempts are exhausted, a warning message is displayed with a prompt for entering the new password.

Password grace period is complete. Please change password.
Old password: ********
New password: ********
Re-enter the new password: ********

If the above entry fails, the respective error message related to password validation will be displayed and the existing session termination message is displayed.