Bug ID 928161: Local password policy not enforced when auth source is set to a remote type.

Last Modified: Jan 15, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 16.0.0, 16.0.0.1, 16.0.1

Opened: Jul 17, 2020
Severity: 3-Major

Symptoms

The local password policy is not enforced when the auth source type is set to Remote. Any non-default password policy changes are not enforced for local users.

Impact

The system does not enforce any of the non-default local password policy options. For example, even if the required-uppercase is set to 2, a local user's password can be set to something less than 2. Even if the minimum-length is set to 12, a local user's password can be set to something less than 12. Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).

Conditions

1) Some part of the local password policy has been changed from the default values, for example, changing the password required-uppercase to 2 . 2) The auth source is set to a remote source, such as LDAP, AD, or TACACS.

Workaround

None

Fix Information

None

Behavior Change