A few days ago Aruba released the a new version of Airwave. In the release-notes for this version 8.2.10 you can find a paragraph on page 4 that mentions changes to the password requirements. This raised concerns, because studies show that forcing people to change their password frequently is not helping to enhance the security of passwords. Poked by several people I got in contact with the responsible product manager at Aruba and discussed this topic with him. Let me describe when those new policies actually apply and how we got here.
Beginning with Airwave 8.2.10 Aruba has merged the federal and the commercial branch into a single branch and also started shipping the images based on CentOS 7, as CentOS 6 will go end of life next year. All those policies will only apply if you update to 8.2.10 AND to CentOS 7 OR if you do a fresh install of version 8.2.10. If you only update to 8.2.10 you are good to go. Further the release notes state: „When you upgrade from AirWave 8.2.5.x or later releases, the ampadmin and admin users will retain the existing password requirements […].„
Aruba is aware that some people are not happy with those new policies. I was told that there is already a plan to create an „opt-out“ switch in some of the future releases. As long as you stay on CentOS 6 you are good to go to upgrade to 8.2.10.
In addition to this I will create a feature request in the Aruba Innovation Zone to give users the option to influence the password requirements, as it is already possible in other products.