Cisco Unified Communications Manager Administration Guide, Release 8.0(2)
Credential Policy Configuration
Downloads: This chapterpdf (PDF - 372.0KB) The complete bookPDF (PDF - 18.29MB) | Feedback

Credential Policy Configuration

Table Of Contents

Credential Policy Configuration

Credential Policy Configuration Settings

Finding a Credential Policy

Configuring a Credential Policy

Deleting a Credential Policy

Related Topics


Credential Policy Configuration


This chapter describes how to configure credential policies. See the "Related Topics" section for more information about assigning credential policies. The following topics contain information about configuring credential policies:

Credential Policy Configuration Settings

Finding a Credential Policy

Configuring a Credential Policy

Deleting a Credential Policy

Related Topics

Credential Policy Configuration Settings

The Credential Policy Configuration window in Cisco Unified Communications Manager Administration allows you to configure credential policies to secure user accounts.

A policy comprises a set of rules that controls access to a system or network resource. A credential policy defines password requirements and account lockouts for user accounts. Credential policies that are assigned to user accounts control the authentication process in Cisco Unified Communications Manager. After you add a credential policy, you can assign the new policy as the default policy for a credential type or to an individual application or end user.

At installation, Cisco Unified Communications Manager assigns a static credential policy to end user PINs and to application and end user passwords. The policy contains settings for failed logon resets, lockout durations, expiration periods, and credential requirements. The Credential Policy Configuration window allows you to configure new credential policies for your system or site. You cannot change the static policy.

Table 111-1 describes the credential policy configuration settings. See the "Related Topics" section for related information and procedures.

Before You Begin

The system provides trivial credential checks to disallow credentials that are easily hacked. You enable trivial credential checks by checking the Check for Trivial Passwords check box in the Credential Policy Configuration window.

Passwords can contain any alphanumeric ASCII character and all ASCII special characters. A non-trivial password meets the following criteria:

Must contain three of the four allowable characteristics: uppercase character, lowercase character, number, symbol.

Must not use a character or number more than three times consecutively.

Must not repeat or include the alias, username, or extension.

Cannot consist of consecutive characters or numbers (for example, passwords such as 654321 or ABCDEFG)

PINs can contain digits (0-9) only. A non-trivial PIN meets the following criteria:

Must not use the same number more than two times consecutively.

Must not repeat or include the user extension or mailbox or the reverse of the user extension or mailbox.

Must contain three different numbers; for example, a PIN such as 121212 is trivial.

Must not match the numeric representation (that is, dial by name) for the first or last name of the user.

Must not contain groups of repeated digits, such as 408408, or patterns that are dialed in a straight line on a keypad, such as 2580, 159, or 753.

Table 111-1 Credential Policy Configuration Settings 

Field
Description

Display Name

Specify the credential policy name.

Enter up to 64 characters, except for quotation marks. Do not enter tab.

Failed Logon / No Limit for Failed Logons

Specify the number of allowed failed logon attempts. When this threshold is reached, the system locks the account.

Enter a number in the range 1-100. To allow unlimited failed logons, enter 0 or check the No Limit for Failed Logons check box. Uncheck the check box to enter a value greater than 0. The default setting specifies 3.

Reset Failed Logon Attempts Every

Specify the number of minutes before the counter is reset for failed logon attempts. After the counter resets, the user can try logging in again.

Enter a number in the range 1-120. The default setting specifies 30.

Lockout Duration / Administrator Must Unlock

Specify the number of minutes an account remains locked when the number of failed logon attempts exceeds the specified threshold.

Enter a number in the range 1-1440. Enter 0 or check the Administrator Must Unlock check box, so accounts will remain locked until an administrator manually unlocks them. Uncheck the check box to enter a value greater than 0. The default setting specifies 30.

Minimum Duration Between Credential Changes

Specify the number of minutes that are required before a user can change credentials again.

Enter 0 to allow a user to change credentials at any time. Uncheck the check box to enter a value greater than 0. The default setting specifies 0.

Credential Expires After / Never Expires

Specify the number of days before a credential will expire.

Enter a number in the range 1-365.To allow credentials to never expire, enter 0 or check the Never Expires check box. Uncheck the check box to enter a value greater than 0. Use the 0 option for low-security accounts or multiple user accounts, for example. The default setting specifies 180.

Minimum Credential Length

Specify the minimum length for user credentials (password or PIN).

Do not enter 0 because blank passwords are not allowed. The default setting specifies 8. The minimum setting must equal at least 1.

Stored Number of Previous Credentials

Specify the number of previous user credentials to store. This setting prevents a user from configuring a recently used credential that is saved in the user list

Enter a number in the range 0-25. If no previous credentials should be stored, enter 0. The default setting specifies 12.

Inactive Days Allowed

Specify the number of days that a password can remain inactive before the account gets locked.

Enter a number in the range 0-5000. The default setting specifies 0.

Expiry Warning Days

Enter a number in the range 0-90 to specify the number of days before a user password expires to start warning notifications. The default setting specifies 0.

Check for Trivial Passwords

Check this check box to require the system to disallow credential that are easily hacked, such as common words, repeated character patterns, and so on.

The default setting checks the check box.


Finding a Credential Policy

This section describes how to find or review existing credential policies.


Step 1 Choose User Management > Credential Policy.

The Find and List Credential Policies window displays.

Step 2 Click the list item to display.

The window displays the credential policy that you choose.


Additional Information

See the "Related Topics" section.

Configuring a Credential Policy

This section describes how to create a new credential policy or modify an existing credential policy. You cannot modify the system Default Credential Policy.

Procedure


Step 1 Choose User Management > Credential Policy.

The Find and List window displays.

Step 2 Perform one of the following tasks:

To add a new policy, click the Add New button or Add New icon in the Find window OR display a credential policy from the list and click the Copy or Add New button or icon. When you click Add New, the Credential Policy Configuration window displays with the default settings for each field. When you click Copy, the Credential Policy Configuration window displays with the settings from the displayed policy. Continue with Step 3.

To update an existing entry, click the policy to change. The Credential Policy Configuration window displays with the current settings. Continue with Step 3.

Step 3 Enter the appropriate settings as described in Table 111-1.

Step 4 Click the Save button or the Save icon.


Next Steps

To assign the new credential policy as a default policy for a credential type, follow the procedure described in "Assigning and Configuring Credential Policy Defaults" section on page 110-3.

To assign the new credential policy to individual users, follow the procedures described in "Managing Application User Credential Information" section on page 112-9 and "Managing End User Credential Information" section on page 113-12.

Additional Information

See the "Related Topics" section.

Deleting a Credential Policy

This section describes how to delete a security policy from the Cisco Unified Communications Manager database.

Before You Begin


Note You cannot delete a credential policy if it is assigned as the default policy for end user passwords, end user PINS, or application user passwords.


To find out which default policies use the credential policy, choose Dependency Records from the Related Links drop-down list box in the Credential Policy Configuration window and click Go.

If the dependency records feature is not enabled for the system, the dependency records summary window displays a message that shows the action that you can take to enable the dependency records. The message also displays information about high CPU consumption that is related to the dependency records feature. For more information about dependency records, see the "Accessing Dependency Records" section on page A-2.

If you attempt to delete a credential policy that is in use, a message displays. To delete a credential policy that is currently in use, you must either choose a different credential policy for the user or create and assign a new policy, as described in Configuring a Credential Policy.

Procedure


Step 1 Find the credential policy to delete by using the procedure in the "Finding a Credential Policy" section. From the list of records, click the policy that you want to delete.


Note You can delete entries from the Find and List window by checking the check boxes next to the appropriate entries and clicking the Delete Selected button or the Delete Selected icon. You can delete all entries in the list by clicking the Select All button or the Select All icon and clicking the Delete Selected button or the Delete Selected icon.


Step 2 Click the Delete icon or the Delete button in the Credential Policy Configuration window to delete the policy.

Step 3 When asked to confirm the delete operation, click OK to delete the policy.


Additional Information

See the "Related Topics" section.

Related Topics

Credential Policy Configuration Settings

Finding a Credential Policy

Finding a Credential Policy

Configuring a Credential Policy

Deleting a Credential Policy

Finding Credential Policy Defaults, page 110-2

Assigning and Configuring Credential Policy Defaults, page 110-3

Credential Policy Default Configuration Settings, page 110-1

Changing an Application User Password, page 112-9

Changing an End User Password, page 113-11

Changing an End User PIN, page 113-11

Managing End User Credential Information, page 113-12

Managing Application User Credential Information, page 112-9

Application Users and End Users, Cisco Unified Communications Manager System Guide

Where to Find More Information, Cisco Unified Communications Manager System Guide

Cisco Unity Messaging Integration, Cisco Unified Communications Manager System Guide

LDAP System Configuration, page 14-1

Directory Number Configuration, page 61-1

CTI Route Point Configuration, page 89-1

Cisco Extension Mobility, Cisco Unified Communications Manager Features and Services Guide