Security Guide for Cisco Unity Connection Release 8.x
Passwords, PINs, and Authentication Rule Management in Cisco Unity Connection 8.x
Downloads: This chapterpdf (PDF - 120.0KB) The complete bookPDF (PDF - 1.43MB) | Feedback

Passwords, PINs, and Authentication Rule Management in Cisco Unity Connection 8.x

Table Of Contents

Passwords, PINs, and Authentication Rule Management in Cisco Unity Connection 8.x

About the PINs and Passwords That Users Use to Access Cisco Unity Connection 8.x Applications

Ensuring That Users Are Initially Assigned Unique and Secure PINs and Passwords in Cisco Unity Connection 8.x

Changing Cisco Unity Connection 8.x Web Application Passwords

Changing Cisco Unity Connection 8.x Phone PINs

Defining Authentication Rules to Specify Password, PIN, and Lockout Policies in Cisco Unity Connection 8.x


Passwords, PINs, and Authentication Rule Management in Cisco Unity Connection 8.x


In Cisco Unity Connection, authentication rules govern user passwords, PINs, and account lockouts for all user accounts. We recommend that you define Connection authentication rules as follows:

To require that users change their PINs and passwords often.

To require that user PINs and passwords be unique and not easy to guess.

Well thought out authentication rules can also thwart unauthorized access to Connection applications by locking out users who enter invalid PINs or passwords too many times.

In this chapter, you will find information on completing the above tasks and on other issues related to PIN and password security. To help you understand the scope of Cisco Unity Connection password management, the first section in this chapter describes the different passwords required to access the Cisco Personal Communications Assistant (PCA), the Connection conversation, Cisco Unity Connection Administration, and other administrative web applications. Each of the sections that follow offer information on actions you need to take; recommendations that will help you make decisions; discussion of the ramifications of the decisions you make; and in many cases, best practices.

For information that will guide you through the process of securing Connection passwords and defining authentication rules, see the following sections:

Understanding Which PINs and Passwords Users Use

About the PINs and Passwords That Users Use to Access Cisco Unity Connection 8.x Applications

Understanding How PINS and Passwords Are Assigned and How to Initially Secure Them

Ensuring That Users Are Initially Assigned Unique and Secure PINs and Passwords in Cisco Unity Connection 8.x

How to Change User PINs and Passwords

Changing Cisco Unity Connection 8.x Web Application Passwords

Changing Cisco Unity Connection 8.x Phone PINs

How to Define Authentication Rules

Defining Authentication Rules to Specify Password, PIN, and Lockout Policies in Cisco Unity Connection 8.x

About the PINs and Passwords That Users Use to Access Cisco Unity Connection 8.x Applications

Revised November 16, 2010

Cisco Unity Connection users use different PINs and passwords to access various Connection applications. Knowing which passwords are required for each application is important in understanding the scope of Connection password management.

Phone PINs

Users use a phone PIN to sign in to the Cisco Unity Connection conversation by phone. Users use the phone keypad to enter a PIN (which consists entirely of digits), or can say the PIN if enabled for voice recognition.

Web Application (Cisco PCA) Passwords

Users use the web application password to sign in to the Cisco Personal Communications Assistant (Cisco PCA), which provides access to the Messaging Inbox (in Connection 8.0), Messaging Assistant, and Personal Call Transfer Rules web tools.

A user who is assigned to an administrative role may also use the web application password to sign in to the following Connection applications:

Cisco Unity Connection Administration

Cisco Unity Connection Serviceability

Cisco Unified Serviceability

Real-Time Monitoring Tool


Note If you are using Cisco Unified Communications Manager Business Edition (CMBE) or LDAP authentication, users must use their Cisco Unified CMBE or LDAP account passwords to access Connection web applications.


Ensuring That Users Are Initially Assigned Unique and Secure PINs and Passwords in Cisco Unity Connection 8.x

Revised November 16, 2010

To help protect Cisco Unity Connection from unauthorized access and toll fraud, every user should be assigned a unique phone PIN and web application (Cisco PCA) password.

When you add users to Connection, the phone PIN and web application password are determined by the template that is used to create the user account. By default, user templates are assigned randomly generated strings for the phone PIN and web password. All users created from a template are assigned the same PIN and password.

Consider the following options to ensure that each user is assigned a unique and secure PIN and password at the time that you create the account, or immediately thereafter:

If you are creating a small number of user accounts, after you have used Cisco Unity Connection Administration to create the accounts, change the phone PIN and web password for each user on the Users > Users > Change Password page. Alternatively, instruct users to sign in as soon as possible to change their PINs and passwords (if you choose this option, also ensure that the User Must Change at Next Sign-In check box is checked on the Edit Password page of the template you used to create the accounts).

If you are creating multiple user accounts, use the Bulk Password Edit tool to assign unique passwords and PINs to Connection end user accounts (users with mailboxes) after they have been created. You use the Bulk Password Edit tool along with a CSV file that contains unique strings for the passwords and PINs to apply the passwords/PINs in bulk.

The Bulk Password Edit tool is a Windows-based tool. Download the tool and view Help at http://www.ciscounitytools.com/Applications/CxN/BulkPasswordEdit/BulkPasswordEdit.html.

Changing Cisco Unity Connection 8.x Web Application Passwords

Revised November 16, 2010

You can change the web application (Cisco PCA) password for an individual user on the Users > Users > Change Password page in Cisco Unity Connection Administration at any time.

When passwords expire, users and administrators will be required to enter a new password when they next attempt to sign in to the Cisco PCA or Connection Administration.

Users can also change their Cisco PCA passwords in the Connection Messaging Assistant.

To change passwords for multiple end user accounts (users with mailboxes), you can use the Bulk Password Edit tool to assign unique new passwords to the accounts. You use the Bulk Password Edit tool along with a CSV file that contains unique strings for the passwords to apply the passwords in bulk. The Bulk Password Edit tool is a Windows-based tool. Download the tool and view Help at http://www.ciscounitytools.com/Applications/CxN/BulkPasswordEdit/BulkPasswordEdit.html. You can also use the Cisco Unity Connection Bulk Administration Tool (BAT) to change multiple user passwords at one time. For information on using BAT, see the "Using the Cisco Unity Connection 8.x Bulk Administration Tool" appendix in the User Moves, Adds, and Changes Guide for Cisco Unity Connection Release 8.x, at http://www.cisco.com/en/US/docs/voice_ip_comm/connection/8x/user_mac/guide/8xcucmacx.html.

For users who are able to access voice messages in an IMAP client, make sure that they understand that whenever they change their Cisco PCA password in the Messaging Assistant, they also must update the password in their IMAP client. Passwords are not synchronized between IMAP clients and the Cisco PCA. If users have trouble receiving voice messages in an IMAP client after having updated their Cisco PCA password in both applications, see the "Troubleshooting IMAP Client Sign-In Problems in Cisco Unity Connection 8.x" section in the "Configuring an Email Account to Access Cisco Unity Connection 8.x Voice Messages" chapter of the User Workstation Setup Guide for Cisco Unity Connection Release 8.x, available at http://www.cisco.com/en/US/docs/voice_ip_comm/connection/8x/user_setup/guide/8xcucuwsx.html.

Best Practice

Specify a long—eight or more characters—and non-trivial password. Encourage users to follow the same practice whenever they change their passwords, or assign them to an authentication rule that requires them to do so. Cisco PCA passwords should be changed every six months.

Changing Cisco Unity Connection 8.x Phone PINs

Revised November 16, 2010

You can change the phone PIN for an individual user on the Users > Users > Change Password page in Cisco Unity Connection Administration at any time.

Users can use the Connection phone conversation or the Connection Messaging Assistant to change their phone PINs.

To change PINs for multiple end user accounts (users with mailboxes), you can use the Bulk Password Edit tool to assign unique new PINs to the accounts. You use the Bulk Password Edit tool along with a CSV file that contains unique strings for the PINs to apply the PINs in bulk. The Bulk Password Edit tool is a Windows-based tool. Download the tool and view Help at http://www.ciscounitytools.com/Applications/CxN/BulkPasswordEdit/BulkPasswordEdit.html. You can also use the Cisco Unity Connection Bulk Administration Tool (BAT) to change multiple user PINs at one time. For information on using BAT, see the "Using the Cisco Unity Connection 8.x Bulk Administration Tool" appendix in the User Moves, Adds, and Changes Guide for Cisco Unity Connection Release 8.x, at http://www.cisco.com/en/US/docs/voice_ip_comm/connection/8x/user_mac/guide/8xcucmacx.html.

When PINs expire, users will be required to enter a new PIN when they next attempt to sign in to the Connection conversation.

Because users can use the Messaging Assistant to change their phone PINs, they can help ensure the security of their PINs by taking appropriate measures also to keep their web application (Cisco PCA) passwords secure.

Users need to understand that the phone PIN and Cisco PCA password are not synchronized. While first-time enrollment prompts them to change their initial phone PIN, it does not let them change the password that they use to sign in to the Cisco PCA website.

Best Practice

Each user should be assigned a unique PIN that is six or more digits long and non-trivial. Encourage users to follow the same practice or assign them to an authentication rule that requires them to do so.

Defining Authentication Rules to Specify Password, PIN, and Lockout Policies in Cisco Unity Connection 8.x


Note Cisco Unity Connection authentication rules are not applicable to managing user passwords in Cisco Unified Communications Manager Business Edition (CMBE), or when LDAP authentication is enabled, because authentication is not handled by Connection in those cases.


Use authentication rules to customize the sign-in, password, and lockout policies that Cisco Unity Connection applies when users access Connection by phone, and how users access Cisco Unity Connection Administration, the Cisco PCA, and other applications such as IMAP clients.

The settings that you specify on the Edit Authentication Rule page in Connection Administration determine:

The number of failed sign-in attempts to the Connection phone interface, the Cisco PCA, or Connection Administration that are allowed before an account is locked.

The number of minutes an account remains locked before it is reset.

Whether a locked account must be unlocked manually by an administrator.

The minimum length allowed for passwords and PINs.

The number of days before a password or PIN expires.

Best Practices

For increased security, we recommend the following best practices when defining authentication rules:

Require that users change their Connection passwords and PINs at least once every six months.

Require web application passwords to be eight or more characters and non-trivial.

Require voicemail PINs to be six or more characters and non-trivial.

For greater security, establish authentication rules that prevent PINs and passwords from being easy to guess and from being used for a long time. At the same time, is also best to avoid requiring PINs and passwords that are so complicated or that must be changed so often that users have to write them down to remember them.

In addition, use the following guidelines as you specify authentication rules in the following fields:

Failed Sign-In __ Attempts

Reset Failed Sign-In Attempts Every __ Minutes

Lockout Duration

Credential Expires After __ Days

Minimum Credential Length

Stored Number of Previous Credentials

Check For Trivial Passwords

Failed Sign-In __ Attempts

Use this field to indicate how Connection handles situations when a user repeatedly enters an incorrect PIN or password. We recommend that you set the field to lock user accounts after three failed sign-in attempts.

Reset Failed Sign-In Attempts Every __ Minutes

Use this field to specify the number of minutes after which Connection will clear the count of failed sign-in attempts (unless the failed sign-in limit is already reached and the account is locked). We recommend that you set the field to clear the count of failed sign-in attempts after 30 minutes.

Lockout Duration

Use this field to specify the length of time that a user who is locked out must wait before attempting to sign in again.

For even tighter security, you can check the Administrator Must Unlock check box, which prevents users from accessing their accounts until an administrator unlocks them on the applicable User > Password Settings page. Check the Administrator Must Unlock check box only if an administrator is readily available to assist users or if the system is prone to unauthorized access and toll fraud.

Credential Expires After __ Days

As a best practice, do not enable the Never Expires option. Instead, confirm that this field has a value greater than zero so that users are prompted to change their passwords every X days (X is the value specified in the Credential Expires After field).

We recommend that you configure web passwords to expire after 120 days and phone PINs to expire after 180 days.

Minimum Credential Length

As a best practice, set this field to six or higher.

For authentication rules that will be used for web application passwords, we recommend that you require users to use passwords that are eight or more characters in length.

For authentication rules that will be used for phone PINs, we recommend that you require users to use PINs that are six or more digits in length.

When you change the minimum credential length, users will be required to use the new length the next time that they change their PINs and passwords.

Stored Number of Previous Credentials

As a best practice, specify a number in this field. By doing so, you enable Connection to enforce password uniqueness by storing a specified number of previous passwords or PINs for each user. When users change passwords and PINs, Connection compares the new password or PIN with those stored in the credential history. Connection rejects any password or PIN that matches a password or PIN stored in the history.

By default, Connection stores 5 passwords or PINs in credential history.

Check For Trivial Passwords

As a best practice, confirm that this field is enabled so that users must use non-trivial PINs and passwords.

A non-trivial phone PIN has the following attributes:

The PIN cannot match the numeric representation of the first or last name of the user.

The PIN cannot contain the primary extension or alternate extensions of the user.

The PIN cannot contain the reverse of the primary extension or alternate extensions of the user.

The PIN cannot contain groups of repeated digits, such as "408408" or "123123."

The PIN cannot contain only two different digits, such as "121212."

A digit cannot be used more than two times consecutively (for example, "28883").

The PIN cannot be an ascending or descending group of digits (for example, "012345" or "987654").

The PIN cannot contain a group of numbers that are dialed in a straight line on the keypad when the group of digits equals the minimum credential length that is allowed (for example, if 3 digits is allowed, the user could not use "123," "456," or "789" as a PIN).

A non-trivial web application password has the following attributes:

The password must contain at least three of the following four characters: an uppercase character, a lowercase character, a number, or a symbol.

The password cannot contain the user alias or its reverse.

The password cannot contain the primary extension or any alternate extensions.

A character cannot be used more than three times consecutively (for example, !Cooool).

The characters cannot all be consecutive, in ascending or descending order (for example, abcdef or fedcba).