Symptom
When there originally is configuration like below,
---
username user1 common-criteria-policy CCP1 secret 9
aaa common-criteria policy CCP1
min-length 8
(snip)
---(password here is cisco123)
The password can be overwriten with 'username user1 common-criteria-policy CCP1 secret ' command.
When the new password(cisco, for example) violates the common-criteria policy,
---
Switch(config)#username user1 secret cisco
% Password length is less than minimum length configured
---
the message like the above appears.
In normal condition, it can be renewed with a further new password like below:
---
Switch(config)#username user1 common CCP1 secret cisco1234
Switch(config)#
---
In problematic condition, it can not
---
Switch(config)#username user1 common CCP1 secret cisco1234
ERROR: Can not have both a user password and a user secret.
Please choose one or the other.
Switch(config)#
---
As a result, the credential gets unavailable because it does not have any password.
Conditions
- 16.12.5 or later.
- service password-encryption is enabled.
- aaa common-criteria policy is used.
Workaround
- Using 'no username user1' command and remaking the account 'user1'.
or
- Using 16.12.4 or earlier.
