Last Modified: Jan 15, 2021
See more info
Known Affected Versions:
15.1.0, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 15.1.1, 15.1.2, 16.0.0, 18.104.22.168, 16.0.1
Opened: Jul 17, 2020
The local password policy is not enforced when the auth source type is set to Remote. Any non-default password policy changes are not enforced for local users.
The system does not enforce any of the non-default local password policy options. For example, even if the required-uppercase is set to 2, a local user's password can be set to something less than 2. Even if the minimum-length is set to 12, a local user's password can be set to something less than 12. Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).
1) Some part of the local password policy has been changed from the default values, for example, changing the password required-uppercase to 2 . 2) The auth source is set to a remote source, such as LDAP, AD, or TACACS.