Bug ID 928161: Local password policy not enforced when auth source is set to a remote type.

Last Modified: May 02, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 16.0.0,, 16.0.1,,, 16.1.0, 16.1.1, 16.1.2,,

Opened: Jul 17, 2020
Severity: 3-Major


The local password policy is not enforced when the auth source type is set to the value of 'Remote'. Any non-default password policy changes are not enforced for local users.


The system does not enforce any of the non-default local password policy options. For example, even if the required-uppercase is set to 2, a local user's password can be set to something less than 2. Even if the minimum-length is set to 12, a local user's password can be set to something less than 12. Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).


1) Some parts of the local password policy has been changed from the default values, for example, changing the password required-uppercase to 2. 2) The auth source is set to a remote source, such as LDAP, AD, or TACACS.



Fix Information


Behavior Change