Loading...
Loading...
This issue only affects local users created with index value 0 in the internal database
Duplicate secret entries are visible in configuration after the application of a password policy. The password changes are successful, but they result in duplicate configuration entries.
This issue is triggered when a password policy is applied to an existing user followed by a password change. It specifically affects local AAA users with an internal database index value of 0, which is typically assigned to the first user created.
This bug affects the first configured username . For this workaround we need more than One username configured . If the box only has one username then we will first configure a secondary user. (If policy already configured skip the step 3) Step 1. Enter in config mode : RP/0/RP0/CPU0:ios# config Step 2. Create a secondary user if no other user is present RP/0/RP0/CPU0:ios(config)# username lab2 RP/0/RP0/CPU0:ios(config-un)# group root-lr RP/0/RP0/CPU0:ios(config-un)# group cisco-support RP/0/RP0/CPU0:ios(config-un)# secret RP/0/RP0/CPU0:ios(config-un)# commit RP/0/RP0/CPU0:ios(config-un)# exit Step 3.Create/adjust the password policy (If needed) RP/0/RP0/CPU0:ios(config)# aaa password-policy RP/0/RP0/CPU0:ios(config-pp)# min-length 8 RP/0/RP0/CPU0:ios(config-pp)# commit RP/0/RP0/CPU0:ios(config-pp)# exit Step 4.Remove the first user RP/0/RP0/CPU0:ios(config)# no username lab RP/0/RP0/CPU0:ios(config)# commit Step 5.Recreate the user with the desired policy and secret RP/0/RP0/CPU0:ios(config)# username lab RP/0/RP0/CPU0:ios(config-un)# group root-lr RP/0/RP0/CPU0:ios(config-un)# group cisco-support RP/0/RP0/CPU0:ios(config-un)# policy RP/0/RP0/CPU0:ios(config-un)# secret RP/0/RP0/CPU0:ios(config-un)# commit Step 6. Confirm configuration RP/0/RP0/CPU0:ios# show run aaa Already have multiple users (If policy already configured skip the step 3) Step 1.Enter config mode RP/0/RP0/CPU0:ios# config Step 2. Remove the first user RP/0/RP0/CPU0:ios(config)# no username lab RP/0/RP0/CPU0:ios(config)# commit Step 3.Create/adjust the password policy (If needed) RP/0/RP0/CPU0:ios(config)# aaa password-policy RP/0/RP0/CPU0:ios(config-pp)# min-length 8 RP/0/RP0/CPU0:ios(config-pp)# commit RP/0/RP0/CPU0:ios(config-pp)# exit Step 4.Recreate the user with desired groups/policy/secret RP/0/RP0/CPU0:ios(config)# username lab RP/0/RP0/CPU0:ios(config-un)# group root-lr RP/0/RP0/CPU0:ios(config-un)# group cisco-support RP/0/RP0/CPU0:ios(config-un)# policy RP/0/RP0/CPU0:ios(config-un)# secret RP/0/RP0/CPU0:ios(config-un)# commit Step 5.Confirm configuration RP/0/RP0/CPU0:ios# show run aaa
The base code was committed in 07.02.01 so it is applicable to all release after that.
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.