Secure Management; User Roles; Passwords - Cisco ASR 1000 Series Common Criteria Operational User Guidance And Preparative Procedures

4 Secure Management

4.1 User Roles

The ASR has both privileged and semi-privileged administrator roles as well as non-
administrative access. Non-administrative access is granted to authenticated neighbor routers for
the ability to receive updated routing tables per the information flow rules. There is no other
access or functions associated with non-administrative access. These privileged and semi-
privileged roles are configured in the Access Control and Session Termination section above.
The TOE also allows for customization of other levels. Privileged access is defined by any
privilege level entering an enable password after their individual login. Privilege levels are
number 0-15 that specifies the various levels for the user. The privilege levels are not
necessarily hierarchical. Privilege level 15 has access to all commands on the TOE. Privilege
levels 0 and 1 are defined by default, while levels 2-14 are undefined by default. Levels 0-14 can
be set to include any of the commands available to the level 15 administrator, and are considered
the semi-privileged administrator for purposes of this evaluation. The privilege level determines
the functions the user can perform; hence the authorized administrator with the appropriate
privileges.
To establish a username-based authentication system, use the username command in global
configuration mode.
router(config)# username name [privilege level]
When a user no longer requires access to the ASR, the user account can be removed. To remove
an established username-based authentication account, use the "no" form of the command.
router(config)# no username name
Refer to the IOS Command Reference Guide for available commands and associated roles and
privilege levels.

4.2 Passwords

The password complexity is not enforced by the router by default, and must be administratively
set in the configuration. To prevent administrators from choosing insecure passwords, each
password must be as follows: See [10] Under Reference Guides  Command References 
Security and VPN  See manual Cisco IOS Security Command Reference: Commands A to Z
for this section.
1. At least 15 characters long. Use the following command to set the minimum length to 15
or greater.
router(config)#security passwords min-length length
Example: router(config)# security passwords min-length 15
Page 27 of 72