Cisco Password Strength and Management for Common Criteria

We are using Cisco 2960x Switch and after the Security Auditing Exercise, we are asked to implement Password Policy for Password Strength and Management for common Criteria as shown on the link below.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-aaa-comm-criteria-pwd.html

My question is in order to implement the Password Strength and Management for common Criteria , do we need an External RADIUS TACACS server ?

Also, if we like to implement the following password policy:

1) Minimum Password age
2) Maximum Password Age
3) Password History (i.e. cannot use the password for the last 10 password history

do we need to implement RADIUS or TACACS ?

Thank you for your advice in advance.

Regards
Patrick
patricktamAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
The password complexity is standalone security policy to be enforced as it is, independent of RADIUS or TACACS server. The target of evaluation (TOE) needs all users to use passwords that conform to the complexity requirements as required by the evaluated guidance documentation. This is typically under the "Security Management" for the CISCO case.

RADIUS/TACACS+ are considered external AAA services. They are prime mostly for centralized switch and host authentication via the client modules. Both RADIUS and TACACS+ may be used in the evaluated configuration. Any host keys (passwords) that are defined for RADIUS/TACACS+ authentication must comply with the password requirements as stated in the guidance. There isn't a preference per se in either RADIUS or TACACS+ in this context.

Will be good if you can check out this pdf of CISCO device (http://www.cisco.com/web/strategy/government/security_certification/mds_9000_igs.pdf) as example for configuration and installing the CC build.

But most of the time it depends how you define the Security Target (SE) for that device. Here is another pdf instance for the SE of CISCO device. In this example, the TOE can be configured to require local authentication and/or remote authentication via a RADIUS or TACACS+ server as defined in the authentication policy for interactive (human) users.

It is a good to have but not mandate. But most of time with such capability it helps to attain a higher level of assurance with external checker instead of leveraging just local user store. compared to external AAA which can be routed to the Enterprise central identity store out of the device.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
patricktamAuthor Commented:
Thanks for the Details explanation on this.
0
btanExec ConsultantCommented:
Thanks! missed out the earlier pdf link for SE example.
http://www.commoncriteriaportal.org/files/epfiles/cisco_nac_eal2_st_v2.pdf
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.