Security Guide for Cisco Unity Release 5.x (With Microsoft Exchange)
Authentication for Cisco Unity Applications
Downloads: This chapterpdf (PDF - 193.0KB) The complete bookPDF (PDF - 2.41MB) | Feedback

Authentication for Cisco Unity Applications

Table Of Contents

Authentication for Cisco Unity Applications

Determining Which Authentication Method to Use for the Cisco Unity Administrator and Status Monitor

How Integrated Windows Authentication Works with the Cisco Unity Administrator and Status Monitor

Advantages and Disadvantages of Using Integrated Windows Authentication with the Cisco Unity Administrator and the Status Monitor

How Anonymous Authentication Works with the Cisco Unity Administrator and Status Monitor

Advantages and Disadvantages of Using Anonymous Authentication with the Cisco Unity Administrator and Status Monitor

Configuring IIS so That the Cisco Unity Administrator and Status Monitor Use Integrated Windows Authentication

Configuring IIS so That the Cisco Unity Administrator and Status Monitor Use Anonymous Authentication

Best Practices for Securing Access to the Cisco Unity Administrator and Status Monitor

Understanding How Cisco Personal Communications Assistant (PCA) Authentication Works

Best Practices for Securing Access to the Cisco PCA

Determining Whether to Offer Enhanced Phone Security

Configuring the Cisco Unity Conversation to Use Enhanced Phone Security


Authentication for Cisco Unity Applications


Each Cisco Unity application has its own way of authenticating user credentials. Understanding the methods that each application uses is an important step in securing Cisco Unity subscriber data and messages from unauthorized access. In this chapter, you will find descriptions of potential security issues related to the authentication methods used by the Cisco Unity Administrator, the Status Monitor, the Cisco Personal Communications Assistant (PCA) and the Cisco Unity conversation (the "TUI"). When you understand how authentication works for each application, you will be better prepared to decide:

Whether to use Integrated Windows authentication or Anonymous authentication for the Cisco Unity Administrator and the Status Monitor.

Whether to configure the Cisco PCA to use SSL to secure client/server connections.

Whether to configure the Cisco Unity conversation for enhanced phone security, which uses a secure logon method known as two-factor user authentication.

For information that will help you make your decisions and guide you through any actions you need to take, see the following sections:

Determining Which Authentication Method to Use for the Cisco Unity Administrator and Status Monitor

Configuring IIS so That the Cisco Unity Administrator and Status Monitor Use Integrated Windows Authentication

Configuring IIS so That the Cisco Unity Administrator and Status Monitor Use Anonymous Authentication

Best Practices for Securing Access to the Cisco Unity Administrator and Status Monitor

Understanding How Cisco Personal Communications Assistant (PCA) Authentication Works

Best Practices for Securing Access to the Cisco PCA

Determining Whether to Offer Enhanced Phone Security

Configuring the Cisco Unity Conversation to Use Enhanced Phone Security

Determining Which Authentication Method to Use for the Cisco Unity Administrator and Status Monitor

Cisco Unity requires that the identity of the administrator be authenticated by a name and password prior to accessing the Cisco Unity Administrator and the Status Monitor. By default, IIS is configured so that the two applications use the Integrated Windows authentication method (formerly called NTLM or Windows NT Challenge/Response authentication) to authenticate the user name and password. During installation, the installer determines whether to configure IIS so that the Cisco Unity Administrator and the Status Monitor use the Anonymous authentication method instead.

You can change the authentication method that the Cisco Unity Administrator and the Status Monitor use at any time. Before you make a change, do the following tasks:

1. Make sure that you understand how each authentication method works. Review the following sections:

How Integrated Windows Authentication Works with the Cisco Unity Administrator and Status Monitor

How Anonymous Authentication Works with the Cisco Unity Administrator and Status Monitor

2. Evaluate the strengths and weaknesses of Integrated Windows and Anonymous authentication. Refer to the Microsoft website for information. In addition, review the following sections:

Advantages and Disadvantages of Using Integrated Windows Authentication with the Cisco Unity Administrator and the Status Monitor

Advantages and Disadvantages of Using Anonymous Authentication with the Cisco Unity Administrator and Status Monitor

3. Discuss the change with the network administrator to confirm that the method you choose aligns with the existing authentication scheme in your organization, and that it addresses security concerns for your site.

How Integrated Windows Authentication Works with the Cisco Unity Administrator and Status Monitor

When IIS is configured so that the Cisco Unity Administrator uses Integrated Windows authentication, Cisco Unity does not authenticate the subscriber. Instead, the identity of the subscriber is verified by Windows, as indicated in the steps below. (The same process is also used to authenticate users of the Status Monitor.)

1. A Cisco Unity subscriber starts Internet Explorer and attempts to browse to the Cisco Unity Administrator website.

2. Internet Explorer tries to get the home page for the Cisco Unity Administrator from IIS.

3. IIS indicates that it cannot authenticate the user.

4. When Internet Explorer is configured to prompt for a user name and password, it displays a dialog box and waits for the subscriber to enter the Active Directory account credentials. When the subscriber enters the credentials, Internet Explorer tries to get the Cisco Unity Administrator web page again, but this time, it also sends IIS an encrypted message regarding the Active Directory account (based on the credentials that the subscriber entered in the dialog box).

When Internet Explorer is not configured to prompt for a user name and password, Internet Explorer tries to get the Cisco Unity Administrator web page again, but this time, it also sends IIS an encrypted message regarding the Active Directory account (based on the credentials that the subscriber had previously entered to log on to Windows).

In neither scenario is the user password—or any representation of the password—sent across the network, because authentication relies on Windows challenge/response.

5. If Windows can confirm the identity of the Active Directory user, IIS sends the user and domain name to Cisco Unity, and the process continues with Step 6.

If Windows cannot validate the identity of the Active Directory user (as would be the case if the subscriber logged on to an untrusted domain), Internet Explorer prompts the subscriber for a user name and password. Once again, the credentials are not sent across the network; instead, Internet Explorer sends IIS an encrypted message regarding the Active Directory account based on the credentials that are entered in the dialog box.

If authentication occurs, the process continues with Step 6. However, if Windows still cannot authenticate the user, Internet Explorer displays a message indicating that access to the website is denied because the domain account is unknown.

6. Cisco Unity checks to see that there is a subscriber account associated with the Active Directory account used to authenticate the subscriber, and that the subscriber account has COS rights to access the Cisco Unity Administrator.

If the subscriber account exists and it has the proper COS rights, Cisco Unity presents the first page of the Cisco Unity Administrator website, which is displayed in the browser.

If the subscriber account does not exist or does not have the proper COS rights, Cisco Unity presents a web page indicating that the subscriber does not have permission to view the Cisco Unity Administrator website.

Advantages and Disadvantages of Using Integrated Windows Authentication with the Cisco Unity Administrator and the Status Monitor

For a list of advantages and disadvantages associated with using Integrated Windows authentication, see Table 8-1.

Table 8-1 Advantages and Disadvantages of Using Integrated Windows Authentication with the Cisco Unity Administrator and the Status Monitor 

Advantages
Disadvantages

We recommend that you use Integrated Windows authentication with the Cisco Unity Administrator and the Status Monitor.

User credentials are not sent across the network. Instead, Internet Explorer and Windows use a challenge/response mechanism to authenticate the user.

No additional setup is required; Integrated Windows authentication is the default in IIS.

Windows cannot validate the identity of a user when the user is logged on to an untrusted domain, and therefore, denies the user access to the Cisco Unity Administrator. (To mitigate this problem, configure each subscriber browser to prompt for a user name and password, allowing subscribers to enter the applicable credentials for the domain that the Cisco Unity server is in. Alternatively, you can establish trusts across domains.)

When subscribers log on to the Cisco Unity Administrator from another domain, they will be prompted to re-enter their credentials every time that they want to use the phone as a recording and playback device for the Media Master.


How Anonymous Authentication Works with the Cisco Unity Administrator and Status Monitor

When IIS is configured so that the Cisco Unity Administrator uses Anonymous authentication, Cisco Unity authenticates the credentials that subscribers enter on the Cisco Unity Log On page, as indicated in the steps below. (The same process is also used to authenticate users of the Status Monitor.)

1. A Cisco Unity subscriber starts Internet Explorer and attempts to browse to the Cisco Unity Administrator website.

2. Internet Explorer tries to get the home page for the Cisco Unity Administrator from IIS.

3. IIS allows access to Cisco Unity based on the privileges for the IUSR_<Computer name> account. (This is the anonymous account that IIS uses by default for Anonymous authentication.)

4. Cisco Unity presents the Cisco Unity Log On page, which is displayed in the browser.

5. The Log On page prompts subscribers to enter their Active Directory account credentials, as shown in Table 8-2.

Table 8-2 Cisco Unity Log On Page for Windows Credentials 

Field Name
Description

User Name

Subscribers enter the alias for the Active Directory account that is associated with their Cisco Unity subscriber account. (For example, a subscriber can enter tcampbell, or can enter the full path tcampbell@<Domain name>.)

If subscribers enter the full path, they do not need to complete the Domain field.

Password

Subscribers enter the password for their Active Directory account.

Domain

Subscribers enter the name of the domain in which their Active Directory account resides, unless they entered a full path in the User Name field, in which case they leave this field blank.


6. Internet Explorer sends the credentials—in clear text—to Cisco Unity. (To mitigate this security risk, you can set up Cisco Unity to use SSL.)

7. Cisco Unity requests authentication of the credentials from Windows.

8. If Cisco Unity can authenticate the Windows credentials, Cisco Unity then confirms that there is a subscriber account associated with the Active Directory account used to authenticate the subscriber, and that the subscriber account has the proper COS rights. If the subscriber account exists and it has the proper COS rights, Cisco Unity presents the first page of the Cisco Unity Administrator website, which is displayed in the browser.

If the Windows credentials cannot be authenticated, or if the subscriber account does not exist or does not have the proper COS rights, Cisco Unity presents a web page indicating that the subscriber does not have permission to view the Cisco Unity Administrator website.

Advantages and Disadvantages of Using Anonymous Authentication with the Cisco Unity Administrator and Status Monitor

For a list of advantages and disadvantages associated with using Anonymous authentication, see Table 8-3.

Table 8-3 Advantages and Disadvantages of Using Anonymous Authentication with the Cisco Unity Administrator and the Status Monitor 

Advantages
Disadvantages

You do not need to configure each subscriber browser to prompt for a user name and password, nor do you need to establish trusts across domains. When subscribers log on to the Cisco Unity Administrator from another domain, they can enter the applicable credentials on the Cisco Unity Log On page for the domain that the Cisco Unity server is in.

When subscribers log on to the Cisco Unity Administrator from another domain, they are not prompted to re-enter their credentials each time that they want to use the phone as a recording and playback device for the Media Master.

We recommend that you use Integrated Windows authentication with the Cisco Unity Administrator and the Status Monitor.

When a subscriber enters credentials on the Cisco Unity Log On page, the credentials are sent across the network in clear text. (To solve this problem, you can set up Cisco Unity to use SSL.)

You must configure the system to use Anonymous authentication; Integrated Windows authentication is the IIS default.


Configuring IIS so That the Cisco Unity Administrator and Status Monitor Use Integrated Windows Authentication

Do the applicable procedure to configure IIS so that the Cisco Unity Administrator and Status Monitor use the Integrated Windows authentication method (which is the default):

To Configure IIS so That the Cisco Unity Administrator and Status Monitor Use Integrated Windows Authentication (Windows Server 2003)

To Configure IIS so That the Cisco Unity Administrator and Status Monitor Use Integrated Windows Authentication (Windows 2000 Server)

To Configure IIS so That the Cisco Unity Administrator and Status Monitor Use Integrated Windows Authentication (Windows Server 2003)


Step 1 On the Windows Start menu, click Administrative Tools > Internet Information Services (IIS) Manager.

Step 2 In the left pane of Internet Information Services (IIS) Manager, expand Web Sites > Default Web Site.

Step 3 Right-click SAWeb, and click Properties.

Step 4 In the SaWeb Properties dialog box, click the Directory Security tab.

Step 5 In the Authentication and Access Control section, click Edit.

Step 6 In the Authentication Methods dialog box, uncheck the Enable Anonymous Access check box.

Step 7 Check the Integrated Windows Authentication check box.

Step 8 Click OK to close the Authentication Methods dialog box.

Step 9 Click OK to close the SaWeb Properties dialog box.

Step 10 Repeat Step 3 through Step 9 for the following virtual directories:

Status

StatusXml

Web


To Configure IIS so That the Cisco Unity Administrator and Status Monitor Use Integrated Windows Authentication (Windows 2000 Server)


Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Internet Services Manager.

Step 2 In the Internet Information Services window, double-click <System-name> to expand it.

Step 3 Under Default Web Site, right-click Web, and click Properties.

Step 4 In the Web Properties dialog box, set the authentication method:

a. Click the Directory Security tab.

b. Under Anonymous Access and Authentication Control, click Edit.

c. In the Authentication Methods dialog box, uncheck the Anonymous Access check box.

d. Check the Integrated Windows Authentication check box.

e. Click OK to close the Authentication Methods dialog box.

f. Click OK to close the Web Properties dialog box.

Step 5 Under Default Web Site, right-click SAWeb, and click Properties.

Step 6 Repeat Step 4 to set the authentication method for SAWeb.

Step 7 Under Default Web Site, right-click Status, and click Properties.

Step 8 Repeat Step 4 to set the authentication method for Status.

Step 9 Under Default Web Site, click AvXML.

Step 10 In the AvXML directory, right-click AvXML.dll, and click Properties.

Step 11 Repeat Step 4 to set the authentication method for AvXML.

Step 12 Close the Internet Information Services window.


Configuring IIS so That the Cisco Unity Administrator and Status Monitor Use Anonymous Authentication

Do the applicable procedure to configure IIS so that the Cisco Unity Administrator and Status Monitor use the Anonymous authentication method:

To Configure IIS so That the Cisco Unity Administrator and Status Monitor Use Anonymous Authentication (Windows Server 2003)

To Configure IIS so That the Cisco Unity Administrator and Status Monitor Use Anonymous Authentication (Windows 2000 Server)

To Configure IIS so That the Cisco Unity Administrator and Status Monitor Use Anonymous Authentication (Windows Server 2003)


Step 1 On the Windows Start menu, click Administrative Tools > Internet Information Services (IIS) Manager.

Step 2 In the left pane, right-click Application Pools, and click Properties.

Step 3 In the Application Pools Properties dialog box, click the Identity tab.

Step 4 In the Predefined list, click Local System.

Step 5 Click OK to close the Application Pools Properties dialog box.

Step 6 In the IIS Manager message box, click Yes to confirm that you want to run this application pool as Local System.

Step 7 In the left pane of Internet Information Services (IIS) Manager, expand Web Sites > Default Web Site.

Step 8 Right-click SAWeb, and click Properties.

Step 9 In the SaWeb Properties dialog box, click the Directory Security tab.

Step 10 In the Authentication and Access Control section, click Edit.

Step 11 In the Authentication Methods dialog box, check the Enable Anonymous Access check box.

Step 12 Uncheck the Integrated Windows Authentication check box.

Step 13 Click OK to close the Authentication Methods dialog box.

Step 14 Click OK to close the SaWeb Properties dialog box.

Step 15 Repeat Step 8 through Step 14 for the following virtual directories:

Status

StatusXml

Web


To Configure IIS so That the Cisco Unity Administrator and Status Monitor Use Anonymous Authentication (Windows 2000 Server)


Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Internet Services Manager.

Step 2 In the Internet Information Services window, double-click <System-name> to expand it.

Step 3 Under Default Web Site, right-click Web, and click Properties.

Step 4 In the Properties dialog box, set the authentication method for the Web directory:

a. Click the Directory Security tab.

b. Under Anonymous Access and Authentication Control, click Edit.

c. In the Authentication Methods dialog box, check the Anonymous Access check box.

d. Uncheck the Integrated Windows Authentication check box.

e. Click OK to close the Authentication Methods dialog box.

f. Click OK to close the Properties dialog box.

Step 5 Under Default Web Site, right-click SAWeb, and click Properties.

Step 6 Repeat Step 4 to set the authentication method for the SAWeb directory.

Step 7 Under Default Web Site, right-click Status, and click Properties.

Step 8 Repeat Step 4 to set the authentication method for the Status directory.

Step 9 Under Default Web Site, click AvXML.

Step 10 In the AvXML directory, right-click AvXML.dll, and click Properties.

Step 11 Repeat Step 4 to set the authentication method for AvXML.dll.

Step 12 Close the Internet Information Services window.


Best Practices for Securing Access to the Cisco Unity Administrator and Status Monitor

Once you have determined which authentication method you want to use with the Cisco Unity Administrator and the Status Monitor, consider implementing the following best practices to further prevent unauthorized access to subscriber and system data.

Best Practice: Always Prompt for a Name and Password (Integrated Windows Authentication)

When the Cisco Unity Administrator uses the Integrated Windows authentication method, it is possible to configure your system so that you are not prompted for a name and password when you access the Cisco Unity Administrator. This is the case when Internet Explorer is not configured to prompt for a user name and password, and administrators log on to Windows in a trusted domain by using either the administration account or an applicable Active Directory account. As a best practice, configure the browser to prompt for a user name and password, or lock the workstation when it is unattended.

Best Practice: Do Not Send User Credentials in Clear Text (Anonymous Authentication Only)

By default, when subscribers log on to the Cisco Unity Administrator and the Status Monitor, their user credentials are sent across the network to Cisco Unity in clear text. The information that a subscriber enters on the Cisco Unity Administrator pages is also not encrypted. For increased security, set up Cisco Unity to use SSL. See the "Using SSL to Secure Client/Server Connections" chapter.

Best Practice: Require Administrators to Enter User Credentials (Anonymous Authentication Only)

When the Cisco Unity Administrator is set up to use Anonymous authentication, you can use the settings on the Authentication page in the Cisco Unity Administrator to specify whether the Log On page offers the following options:

Remember User Name

Remember Password

Remember Domain

When you specify that Cisco Unity remember the user name, password, or domain, subscribers will not have to enter them the next time that they log on to the Cisco Unity Administrator. Instead, the fields are automatically populated in the Log On page and the credentials are stored as encrypted cookies on the subscriber workstation.

For security reasons, the Log On page by default does not offer subscribers the above options; your organization may want to keep it that way.

Best Practice: Review the Account Policy

Review the account policy that applies when subscribers use the Cisco Unity Administrator and the Status Monitor to verify that the following items are defined appropriately:

What happens when users attempt to log on and repeatedly enter incorrect passwords

How many failed logon attempts are allowed before the user account cannot be used to access the Cisco Unity Administrator and Status Monitor

The length of time that a user remains locked out

Depending on your authentication method, the account policy may be set in Windows or in the Cisco Unity Administrator. See the "Defining Account Policies for Accessing the Cisco Unity Administrator" section on page 9-7 for more information and recommended settings.

Best Practice: Limit How Long the Browser Can Be Left Unattended

The length of time that the browser can be left unattended before Cisco Unity automatically logs you off is governed by the Session Timeout limit, as specified in Internet Information Services (IIS). When the browser session times out, you must refresh the browser and log on to the Cisco Unity Administrator again.

Depending on the authentication method used by the Cisco Unity Administrator, you set the timeout value for IIS as follows:

When the Cisco Unity Administrator uses the Anonymous authentication method, you can set the session timeout value for IIS in the Cisco Unity Administrator.

When the Cisco Unity Administrator uses the Integrated Windows authentication method, you must set session limits directly in IIS.

Understanding How Cisco Personal Communications Assistant (PCA) Authentication Works

Cisco Unity offers application-level authentication to allow subscribers to access the Cisco Personal Communications Assistant (PCA). This means that IIS is configured so that the Cisco PCA uses Anonymous authentication, and therefore Cisco Unity authenticates the credentials that subscribers enter when they log on to the Cisco PCA. Note that unlike the Cisco Unity Administrator, you cannot change the authentication method used by the Cisco PCA.

Cisco Unity authenticates the credentials that subscribers enter on the Cisco Unity Log On page, as follows:

1. A Cisco Unity subscriber starts Internet Explorer and attempts to browse to the Cisco PCA website.

2. Internet Explorer tries to get the home page for the Cisco PCA from IIS.

3. IIS allows access to Cisco Unity based on the privileges for the IUSR_<Computer name> account. (This is the anonymous account that by default IIS uses for Anonymous authentication.)

4. Cisco Unity presents the Cisco Unity Log On page, which is displayed in the browser.

5. The Log On page prompts subscribers to enter their Active Directory account credentials, as shown in Table 8-4.

Table 8-4 Cisco Unity Log On Page for Windows Credentials 

Field Name
Description

User Name

Subscribers enter the alias for the Active Directory account that is associated with their Cisco Unity subscriber account. (For example, a subscriber can enter tcampbell, or can enter the full path tcampbell@<domain name>.)

If subscribers enter the full path, they do not need to complete the Domain field.

Password

Subscribers enter the password for their Active Directory account.

Domain

Subscribers enter the name of the domain in which their Active Directory account resides, unless they entered a full path in the User Name field, in which case they leave this field blank.


6. Internet Explorer sends the credentials—in clear text—to Cisco Unity. (To mitigate this security risk, you can set up Cisco Unity to use SSL.)

7. Cisco Unity requests authentication of the credentials from Active Directory.

8. If Cisco Unity can authenticate the Active Directory credentials, Cisco Unity then confirms that there is a subscriber account associated with the Active Directory account used to authenticate the subscriber and that the subscriber account has the proper COS rights. If the subscriber account exists and it has the proper COS rights, Cisco Unity presents the first page of the Cisco PCA website, which is displayed in the browser.

If the Active Directory credentials cannot be authenticated, or if the subscriber account does not exist or does not have the proper COS rights, Cisco Unity presents a web page that indicates that the subscriber does not have permission to view the Cisco PCA website.

Best Practices for Securing Access to the Cisco PCA

To help prevent unauthorized access to subscriber data and messages via the Cisco PCA, consider implementing the following best practices.

Best Practice: Do Not Send User Credentials in Clear Text

By default, when subscribers log on to the Cisco PCA, their user credentials are sent across the network to Cisco Unity in clear text. The information that a subscriber enters on the Cisco PCA pages is also not encrypted. For increased security, set up Cisco Unity to use SSL. See the "Using SSL to Secure Client/Server Connections" chapter.

Best Practice: Require Subscribers to Enter User Credentials

You can use the settings on the Authentication page in the Cisco Unity Administrator to specify whether the Cisco PCA Log On page offers the following options:

Remember User Name

Remember Password

Remember Domain

When you specify that Cisco Unity remember the user name, password, or domain, subscribers will not have to enter them the next time that they log on to the Cisco PCA. Instead, the fields are automatically populated on the Log On page and the credentials are stored as encrypted cookies on the subscriber workstation. By default, the Log On page does not offer subscribers the above options, and for security reasons, your organization may want to keep it that way. However, note that by doing so, you also prevent the options from appearing on the Cisco PCA Log On page. By not allowing subscribers who use the Cisco PCA to specify whether Cisco Unity remembers their credentials, you may increase support desk requests for the information.

Best Practice: Review the Account Policy

Review the account policy that applies when subscribers use the Cisco PCA to verify that the following items are defined appropriately:

Whether subscribers can use blank passwords

What happens when subscribers attempt to log on and repeatedly enter incorrect passwords

How many failed logon attempts are allowed before the subscriber account cannot be used to access the Cisco PCA

The length of time that a subscriber remains locked out

See the "Defining Account Policies for Accessing the Cisco PCA" section on page 9-7 for more information and recommended settings.

Best Practice: Prevent the Browser From Displaying a Security Alert

If your organization set up Cisco Unity to use SSL, but did not add it to the Group Policy in order to distribute the certificate to the trusted root store for all users in the domain (or did not tell subscribers how to add the certificate to the trusted root store on their own computers), subscribers may be concerned about the security alert that will be displayed each time that they access the Cisco PCA. Tell subscribers that they can ignore the warning and proceed to use the Cisco PCA without doing any harm to their computers or the network.

To prevent the browser from displaying the security alert, see the "Distributing the Root Certificate to the Trusted Root Store" section on page 10-7.s

Determining Whether to Offer Enhanced Phone Security

You can set up Cisco Unity so that subscribers must use a secure logon method known as two-factor user authentication (which is the industry standard) to access the Cisco Unity conversation or "TUI." Cisco Unity works with the RSA SecurID system to provide this method of enhanced phone security.

The RSA SecurID system is made up of three major components: RSA SecurID authenticators, the RSA ACE/Server, and the RSA ACE/Agent.

With the RSA SecurID system, each Cisco Unity subscriber is assigned an RSA SecurID authenticator. (RSA offers authenticators in the form of hardware, software, and smart cards.) Every 60 seconds, the authenticator generates and displays a new, unpredictable number—known as a secure ID or tokencode—that is unique to the subscriber. Each subscriber who has authenticator must have a user account on the ACE/Server. A user account contains the RSA alias and PIN, and information about the user authenticator. By using the information in a user account, the ACE/Server generates the same secure ID as the user authenticator.

When logging on to Cisco Unity over the phone, subscribers enter their Cisco Unity ID (often, their extension) as usual. Then, instead of a password, subscribers enter a passcode, which is a number that combines the subscriber PIN and the secure ID displayed on the subscriber authenticator. Cisco Unity uses the ID to look up the user RSA alias and sends the RSA alias and passcode to the ACE/Agent installed on the Cisco Unity server. The ACE/Agent encrypts the RSA alias and passcode and sends it to the ACE/Server. The ACE/Server looks up the user account, then validates the passcode by using the information stored in the account. The ACE/Server returns a code to the ACE/Agent, which in turn passes it along to Cisco Unity. Return code meanings are shown in Table 8-5.

Table 8-5 ACE/Server Return Codes 

Return Code
Meaning

Passcode accepted

Cisco Unity allows subscriber to log on.

Access denied

Cisco Unity prompts the subscriber to enter the passcode again. (This return code can also indicate that the ACE/Server is unavailable.)

Secure ID expired

Cisco Unity prompts the subscriber to enter the next secure ID displayed on the authenticator.

New PIN needed

Cisco Unity prompts the subscriber to enter a new PIN.

Note that unless subscribers have pre-assigned PINs, the first time that they log on to Cisco Unity by phone, they will need to enter secure IDs instead of passcodes. (The same is true when subscribers log on to Cisco Unity after a PIN has been cleared in the RSA Database Administrator.) The conversation then guides subscribers through the process of creating new PIN.


Configuring the Cisco Unity Conversation to Use Enhanced Phone Security

Configuring the Cisco Unity conversation to use enhanced phone security essentially requires that you first install and configure an ACE/Server to communicate with the Cisco Unity servers at your site, and then assign the applicable subscribers to a class of service that offers enhanced phone security. You must restart the Cisco Unity server(s) during the configuration process.

Use the following procedure at any time. If you have an existing ACE/Server, skip the steps below that do not apply. See the RSA documentation for information on setting up the ACE/Server and ACE/Agent and for creating and maintaining user accounts.


Note The RSA SecurID system is not available for subscribers who use the Cisco Unity Greetings Administrator.


To Configure Cisco Unity to Use Enhanced Phone Security


Step 1 Install and configure the ACE/Server. Install only the Local Access Authentication (Client) and the Control Panel Applet components. Do not install the Web Access Authentication (Server) component.

Step 2 On the ACE/Server, use the RSA Database Administrator program to create the applicable user accounts.

Note that when specifying settings for PIN assignments, indicate user-created PINs only. Cisco Unity does not support system-generated PINs.

Step 3 Create a group that includes all the users who will use enhanced phone security on Cisco Unity.

Step 4 Create an Agent Host for each Cisco Unity server that you want to use enhanced phone security (required on both the primary and secondary server when failover will be used).

Step 5 Specify Communications Server as the Agent Host type.

Step 6 Add the group you created in Step 3 to the Group Activation section of the new client.

Step 7 On the Cisco Unity server, install and configure the ACE/Agent to work with the Agent Host(s) you created on the ACE/Server.

Step 8 Use the ACE/Agent Test Authentication utility to authenticate a user with the ACE/Server. If you cannot authenticate the user with the test program, troubleshoot the ACE client/server connection. If you are using failover, also test in a manual failover condition.

Step 9 In the Cisco Unity Administrator, go to the System > Configuration > Settings page and check the RSA Two Factor check box.

Step 10 Log off of the Cisco Unity Administrator.

Step 11 Shut down and restart the Cisco Unity server.

Step 12 In the Cisco Unity Administrator, create a new class of service (COS) or modify an existing COS for the subscribers who are using enhanced phone security.

Step 13 On the Subscribers > Class of Service > Profile page of the applicable COS, in the Phone Security section, click Enhanced Security.

Step 14 Assign subscribers to the enhanced phone security COS.

Step 15 If the RSA alias for the subscriber is something other than the subscriber Exchange alias, go to the subscriber Profile page and enter the RSA alias in the Enhanced Security User Alias box.

Step 16 As applicable, repeat Step 7 through Step 11 for each Cisco Unity server at your site.

Step 17 Distribute the RSA authenticators to the applicable subscribers.