Symptom
When using either:
username common-criteria-policy secret
username common-criteria-policy algorithm-type secret
The AAA-CC code appears to examine the hash of the cleartext secret rather than the cleartext of the secret to establish if the secret passes the AAA-CC criteria.
Conditions
This is not be a supported configuration; but the CLI allows the configuration to take place.
Support for 'username common-criteria-policy secret 5|8|9 ' is supported as of Cisco IOS XE 16.7.1 and later. The secret MUST be entered as a hash not cleartext.
Workaround
Use 'username common-criteria-policy secret 5|8|9 '
Further Problem Description
None.
PSIRT Evaluation
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
