Cisco Unified Communications Manager Administration Guide, Release 6.0(1)
Credential Policy Configuration
Downloads: This chapterpdf (PDF - 448.0KB) The complete bookPDF (PDF - 17.96MB) | Feedback

Credential Policy Configuration

Table Of Contents

Credential Policy Configuration

Default Credential Policy

Trivial Credential Checks

Finding a Credential Policy

Configuring a Credential Policy

Credential Policy Configuration Settings

Deleting a Credential Policy

Related Topics


Credential Policy Configuration


The Credential Policy Configuration window in Cisco Unified Communications Manager Administration allows you to configure credential policies to secure user accounts.

A policy comprises a set of rules that controls access to a system or network resource. A credential policy defines password requirements and account lockouts for user accounts.

Credential policies that are assigned to user accounts control the authentication process in Cisco Unified Communications Manager.

After you add a credential policy, you can assign the new policy as the default policy for a credential type or to an individual application or end user.

This chapter describes how to configure credential policies. See the "Related Topics" section for more information about assigning credential policies.

The following topics contain information about configuring credential policies:

Default Credential Policy

Trivial Credential Checks

Finding a Credential Policy

Configuring a Credential Policy

Credential Policy Configuration Settings

Deleting a Credential Policy

Related Topics

Default Credential Policy

At installation, Cisco Unified Communications Manager assigns a static credential policy to end user PINs and to application and end user passwords. The policy contains settings for failed logon resets, lockout durations, expiration periods, and credential requirements. The Credential Policy Configuration window allows you to configure new credential policies for your system or site. You cannot change the static policy.

Figure 104-1 shows the system Default Credential Policy settings. The system provides the Default Credential Policy to facilitate installs and upgrades. These settings differ from the credential policy defaults settings that the system provides when you add a new credential policy.

Figure 104-1 System Default Credential Policy Settings

Trivial Credential Checks

The system provides trivial credential checks to disallow credentials that are easily hacked. You enable trivial credential checks by checking the Check for Trivial Passwords check box in the Credential Policy Configuration window.

Passwords can contain any alphanumeric ASCII character and all ASCII special characters. A non-trivial password meets the following criteria:

Must contain three of the four allowable characteristics: uppercase character, lowercase character, number, symbol.

Must not use a character or number more than three times consecutively.

Must not repeat or include the alias, username, or extension.

Cannot consist of consecutive characters or numbers (for example, passwords such as 654321 or ABCDEFG)

PINs can contain digits (0-9) only. A non-trivial PIN meets the following criteria:

Must not use the same number more than two times consecutively.

Must not repeat or include the user extension or mailbox or the reverse of the user extension or mailbox.

Must contain three different numbers; for example, a PIN such as 121212 is trivial.

Must not match the numeric representation (that is, dial by name) for the first or last name of the user.

Must not contain groups of repeated digits, such as 408408 or 113377, or patterns that are dialed in a straight line on a keypad, such as 2580, 159, or 753.

Finding a Credential Policy

This section describes how to find or review existing credential policies.


Step 1 Choose User Management > Credential Policy.

The Find and List Credential Policies window displays.

Step 2 Click the list item to display.

The window displays the credential policy that you choose.


Additional Information

See the "Related Topics" section.

Configuring a Credential Policy

This section describes how to create a new credential policy or modify an existing credential policy. You cannot modify the system Default Credential Policy.

Procedure


Step 1 Choose User Management > Credential Policy.

The Find and List window displays.

Step 2 Perform one of the following tasks:

To add a new policy, click the Add New button or Add New icon in the Find window OR display a credential policy from the list and click the Copy or Add New button or icon. When you click Add New, the Credential Policy Configuration window displays with the default settings for each field. When you click Copy, the Credential Policy Configuration window displays with the settings from the displayed policy. Continue with Step 3.

To update an existing entry, click the policy to change. The Credential Policy Configuration window displays with the current settings. Continue with Step 3.

Step 3 Enter the appropriate settings as described in Table 104-1.

Step 4 Click the Save button or the Save icon.


Next Steps

To assign the new credential policy as a default policy for a credential type, follow the procedure described in Assigning and Configuring Credential Policy Defaults, page 103-2.

To assign the new credential policy to individual users, follow the procedures described in Managing Application User Credential Information, page 105-10 and Managing End User Credential Information, page 106-12.

Additional Information

See the "Related Topics" section.

Credential Policy Configuration Settings

Table 104-1 describes the credential policy configuration settings. See the "Related Topics" section for related information and procedures.

Table 104-1 Credential Policy Configuration Settings 

Field
Description

Display Name

Specify the credential policy name.

Enter up to 64 characters. Do not use the following special characters: dash (-), quotes (""), and backslash (\).

Failed Logon / No Limit for Failed Logons

Specify the number of allowed failed logon attempts. When this threshold is reached, the system locks the account.

Enter a number in the range 1-10. To allow unlimited failed logons, enter 0 or check the No Limit for Failed Logons check box. Uncheck the check box to enter a value greater than 0. The default setting specifies 3.

Reset Failed Logon Attempts Every

Specify the number of minutes before the counter is reset for failed logon attempts. After the counter resets, the user can try logging in again.

Enter a number in the range 1-120. The default setting specifies 30.

Lockout Duration / Administrator Must Unlock

Specify the number of minutes an account remains locked when the number of failed logon attempts exceeds the specified threshold.

Enter a number in the range 1-120. Enter 0 or check the Administrator Must Unlock check box, so accounts will remain locked until an administrator manually unlocks them. Uncheck the check box to enter a value greater than 0. The default setting specifies 30.

Minimum Duration Between Credential Changes

Specify the number of minutes that are required before a user can change credentials again.

Enter a number in the range 1-120. Enter 0 to allow a user to change credentials at any time. Uncheck the check box to enter a value greater than 0. The default setting specifies 0.

Credential Expires After / Never Expires

Specify the number of days before a credential will expire.

Enter a number in the range 1-365.To allow credentials to never expire, enter 0 or check the Never Expires check box. Uncheck the check box to enter a value greater than 0. Use the 0 option for low-security accounts or multiple user accounts, for example. The default setting specifies 180.

Minimum Credential Length

Specify the minimum length for user credentials (password or PIN).

Do not enter 0 because blank passwords are not allowed. The default setting specifies 8. The minimum setting must equal at least 1.

Stored Number of Previous Credentials

Specify the number of previous user credentials to store. This setting prevents a user from configuring a recently used credential that is saved in the user list

Enter a number in the range 0-25. If no previous credentials should be stored, enter 0. The default setting specifies 12.

Inactive Days Allowed

Specify the number of days that a password can remain inactive before the account gets locked.

Enter a number in the range 0-5000. The default setting specifies 0.

Expiry Warning Days

Enter a number in the range 0-90 to specify the number of days before a user password expires to start warning notifications. The default setting specifies 0.

Check for Trivial Passwords

Check this check box to require the system to disallow credential that are easily hacked, such as common words, repeated character patterns, and so on. See Trivial Credential Checks for a list of criteria that a credential must meet when this check box is checked.

The default setting checks the check box.


Deleting a Credential Policy

This section describes how to delete a security policy from the Cisco Unified Communications Manager database.

Before You Begin


Note You cannot delete a credential policy if it is assigned as the default policy for end user passwords, end user PINS, or application user passwords.


To find out which default policies use the credential policy, choose Dependency Records from the Related Links drop-down list box in the Credential Policy Configuration window and click Go.

If the dependency records feature is not enabled for the system, the dependency records summary window displays a message that shows the action that you can take to enable the dependency records. The message also displays information about high CPU consumption that is related to the dependency records feature. For more information about dependency records, see the "Accessing Dependency Records" section on page A-2.

If you attempt to delete a credential policy that is in use, a message displays. To delete a credential policy that is currently in use, you must either choose a different credential policy for the user or create and assign a new policy, as described in Configuring a Credential Policy.

Procedure


Step 1 Find the credential policy to delete by using the procedure in the "Finding a Credential Policy" section. From the list of records, click the policy that you want to delete.


Note You can delete entries from the Find and List window by checking the check boxes next to the appropriate entries and clicking the Delete Selected button or the Delete Selected icon. You can delete all entries in the list by clicking the Select All button or the Select All icon and clicking the Delete Selected button or the Delete Selected icon.


Step 2 Click the Delete icon or the Delete button in the Credential Policy Configuration window to delete the policy.

Step 3 When asked to confirm the delete operation, click OK to delete the policy.


Additional Information

See the "Related Topics" section.

Related Topics

Default Credential Policy

Finding a Credential Policy

Configuring a Credential Policy

Credential Policy Configuration Settings

Deleting a Credential Policy

Finding Credential Policy Defaults, page 103-1

Assigning and Configuring Credential Policy Defaults, page 103-2

Credential Policy Default Configuration Settings, page 103-3

Changing an Application User Password, page 105-9

Changing an End User Password, page 106-11

Changing an End User PIN, page 106-12

Managing End User Credential Information, page 106-12

Managing Application User Credential Information, page 105-10

Application Users and End Users, Cisco Unified Communications Manager System Guide

Managing Application User and End User Configuration Checklist, Cisco Unified Communications Manager System Guide

Cisco Unity Messaging Integration, Cisco Unified Communications Manager System Guide

LDAP System Configuration, page 14-1

Directory Number Configuration, page 57-1

CTI Route Point Configuration, page 79-1

Cisco Extension Mobility, Cisco Unified Communications Manager Features and Services Guide