Configuring NTP Servers
During the software postinstallation process, the Network Time Protocol (NTP) server may have been configured. Cisco Unity Express accepts a maximum of three NTP servers. Use this procedure to add or delete NTP servers.
Adding NTP Servers
You can designate an NTP server using its IP address or its hostname.
Cisco Unity Express uses the DNS server to resolve the hostname to an IP address and stores the IP address as an NTP server. If DNS resolves the hostname to more than one IP address, Cisco Unity Express randomly chooses one of the IP addresses that is not already designated as an NTP server.
To configure an NTP server with multiple IP addresses for a hostname, repeat the configuration steps using the same hostname. Each iteration assigns the NTP server to its remaining IP addresses.
SUMMARY STEPS
1. config t
2. ntp server { hostname | ip-address } [ prefer ]
3. exit
4. show ntp status
5. show ntp servers
6. show ntp source
7. show ntp association
8. copy running-config startup-config
DETAILED STEPS
|
|
|
Step 1 |
config t
se-10-0-0-0# config t |
Enters configuration mode. |
Step 2 |
ntp server { hostname | ip-address } [ prefer ]
se-10-0-0-0(config)# ntp server 10.0.3.4 se-10-0-0-0(config)# ntp server 10.0.10.20 prefer |
Specifies the name or IP address of the NTP server. If more than one server is configured, the server with the prefer attribute is used first. |
Step 3 |
exit
se-10-0-0-0(config)# exit |
Exits configuration mode. |
Step 4 |
show ntp status
se-10-0-0-0# show ntp status |
Displays the NTP subsystem status. |
Step 5 |
show ntp servers
se-10-0-0-0# show ntp servers |
Displays a list of Network Time Protocol (NTP) servers and their current states. |
Step 6 |
show ntp source
se-10-0-0-0# show ntp source |
Displays the time source for a Network Time Protocol (NTP) server. |
Step 7 |
show ntp association
se-10-0-0-0# show ntp association |
Displays the association identifier and status for all Network Time Protocol (NTP) servers. |
Step 8 |
copy running-config startup-config
se-10-0-0-0# copy running-config startup-config |
Copies the configuration changes to the startup configuration. |
Examples
The following commands configure the NTP server:
se-10-0-0-0(config)# ntp server 10.100.6.9
se-10-0-0-0(config)# exit
The following shows sample output from the show ntp status command:
se-10-0-0-0# show ntp status
NTP reference server 1: 10.100.6.9
Time difference (secs): 3.268110099434328E8
Time jitter (secs): 0.1719226837158203
The following shows sample output from the show ntp servers command:
se-10-0-0-0# show ntp servers
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.100.10.65 127.127.7.1 8 u 933 1024 377 0.430 -1.139 0.158
space reject, x falsetick,. excess, - outlyer
+ candidate, # selected, * sys.peer, o pps.peer
The following shows sample output from the show ntp source command:
se-10-0-0-0# show ntp source
127.0.0.1: stratum 9, offset 0.000015, synch distance 0.03047
10.100.10.65: stratum 8, offset -0.001124, synch distance 0.00003
The following shows sample output from the show ntp association command:
se-10-0-0-0# show ntp associations
ind assID status conf reach auth condition last_event cnt
===========================================================
1 37773 9624 yes yes none sys.peer reachable 2
The following example configures an NTP server with a hostname that points to two IP addresses 172.16.10.1 and 172.16.10.2:
se-10-0-0-0(config)# ntp server NTP.mine.com
se-10-0-0-0(config)# exit
se-10-0-0-0(config)# ntp server NTP.mine.com
se-10-0-0-0(config)# exit
The following shows sample output from the show ntp status command:
se-10-0-0-0# show ntp status
NTP reference server 1: 172.16.10.1
Time difference (secs): 3.268110099434328E8
Time jitter (secs): 0.1719226837158203
NTP reference server 1: 172.16.10.2
Time difference (secs): 3.268110099434328E8
Time jitter (secs): 0.1719226837158203
Removing an NTP Server
Remove an NTP server using its IP address or hostname.
SUMMARY STEPS
1. config t
2. no ntp server { hostname | ip-address }
3. exit
4. show ntp status
5. show ntp configuration
6. copy running-config startup-config
DETAILED STEPS
|
|
|
Step 1 |
config t
se-10-0-0-0# config t |
Enters configuration mode. |
Step 2 |
no ntp server { hostname | ip-address }
se-10-0-0-0(config)# no ntp server 10.0.3.4 se-10-0-0-0(config)# no ntp server myhost |
Specifies the hostname or IP address of the NTP server to remove. |
Step 3 |
exit
se-10-0-0-0(config)# exit |
Exits configuration mode. |
Step 4 |
show ntp status
se-10-0-0-0# show ntp status |
Displays the NTP subsystem status. |
Step 5 |
show ntp configuration
se-10-0-0-0# show ntp configuration |
Displays the configured NTP servers. |
Step 6 |
copy running-config startup-config
se-10-0-0-0# copy running-config startup-config |
Copies the configuration changes to the startup configuration. |
Displaying NTP Server Information
The following commands are available to display NTP server configuration information and status:
- show ntp associations
- show ntp servers
- show ntp source
- show ntp status
The following is sample output for the show ntp associations command:
se-10-0-0-0# show ntp associations
ind assID status conf reach auth condition last_event cnt
===========================================================
1 61253 8000 yes yes none reject
The following is sample output for the show ntp servers command:
se-10-0-0-0# show ntp servers
remote refid st t when poll reach delay offset jitter
==============================================================================
10.100.6.9 0.0.0.0 16 u - 1024 0 0.000 0.000 4000.00
space reject, x falsetick,. excess, - outlyer
+ candidate, # selected, * sys.peer, o pps.peer
The following is sample output for the show ntp source command:
se-10-0-0-0# show ntp source
192.168.0.1: stratum 16, offset 0.000013, synch distance 8.67201
0.0.0.0: *Not Synchronized*
The following is sample output for the show ntp status command:
se-10-0-0-0# show ntp status
NTP reference server : 10.100.6.9
Time difference (secs): 0.0
Configuring Password and PIN Parameters
Cisco Unity Express supports the configuration of the password and personal identification number (PIN) parameters described in the following sections:
Note If you change a Cisco Unified CME user’s password on Cisco Unity Express with Configure --> Users, the password for that user is updated on Cisco Unified CME. However, the reverse is not true: a user password changed on Cisco Unified CME will not be updated to Cisco Unity Express.
Note For instructions on configuring PINless voicemail, see “Configuring PINless Mailbox Access” section.
Configuring Password and PIN Length and Expiry Time
Cisco Unity Express supports configuring the following two attributes of password and PIN:
- Minimum password and PIN length
To support enhanced security procedures, Cisco Unity Express has made the password and PIN length configurable. In releases prior to Cisco Unity Express 10.2, the administrator can configure the length to a value greater than or equal to 3 alphanumeric characters. From Cisco Unity Express Release 10.2 onwards, the administrator can configure the minimum length ranging from 8 through 64 characters. There is no limit on the maximum length. This is a system-wide value, so that all subscribers must have passwords and PINs of at least that many characters. Use the GUI Defaults > User option or the procedure described below to configure this length.
The password length does not have to be equal to the PIN length. The default password length is 8 alphanumeric characters. The maximum PIN length is 16 alphanumeric characters.
To set the password or PIN length to the system default values, use the no or default form of the commands.
Note If the minimum PIN length is increased, existing PINs that do not conform to the new limit will automatically expire. The subscriber must reset the PIN at the next log in to the TUI.
Note The change in the minimum password length range is applicable only when a new user is created or the password of an existing user is updated. It does not apply to passwords that are already in use.
- Password and PIN expiry time
Cisco Unity Express permits the administrator to configure the password and PIN expiry time on a system-wide basis. The expiry time is the time, in days, for which the password and PIN are valid. When this time is reached, the subscriber must enter a new password or PIN.
If this option is not configured, passwords and PINs do not expire.
Use the GUI Defaults > User option or the procedure described below to configure this time.
The password expiry time does not have to equal the PIN expiry time.
The valid range is 3 to 365 days.
To set the password or PIN expiry time to the system default values, use the no or default form of the commands.
SUMMARY STEPS
- config t
- security password length min password-length
- security pin length min pin-length
- security password expiry days password-days
- security pin expiry days pin-days
- exit
DETAILED STEPS
|
|
|
Step 1 |
config t
se-10-0-0-0# config t se-10-0-0-0(config)# |
Enters configuration mode. |
Step 2 |
security password length min password-length
se-10-0-0-0(config)# security password length min 5 |
Specifies the length of all subscribers’ passwords. The default minimum value is 3; the maximum value is 32. To set the minimum password length to the system default, use the no or default form of this command. |
Step 3 |
security pin length min pin-length
se-10-0-0-0(config)# security pin length min 4 |
Specifies the minimum length of all subscribers’ PINs. The default value is 3; the maximum value is 16. To set the minimum PIN length to the system default, use the no or default form of this command. |
Step 4 |
security password expiry days password-days
se-10-0-0-0(config)# security password expiry days 60 |
Specifies the maximum number of days for which subscribers’ passwords are valid. Valid values range from 3 to 365. If this value is not configured, the passwords will not expire. To set the password expiry time to the system default, use the no or default form of this command. |
Step 5 |
security pin expiry days pin-days
se-10-0-0-0(config)# security pin expiry days 45 |
Specifies the maximum number of days for which subscriber’s PINs are valid. Valid values range from 3 to 365. If this value is not configured, the PINs will not expire. To set the PIN expiry time to the system default, use the no or default form of this command. |
Step 6 |
exit
se-10-0-0-0(config)# exit se-10-0-0-0# |
Exits configuration mode. |
Examples
The following example sets the password length to 6 characters, the PIN length to 5 characters, the password expiry time to 60 days, and the PIN expiry time to 45 days.
se-10-0-0-0(config)# security password length min 6
se-10-0-0-0(config)# security pin length min 5
se-10-0-0-0(config)# security password expiry days 60
se-10-0-0-0(config)# security pin expiry days 45
se-10-0-0-0(config)# exit
Configuring Enhanced PIN Validation
Starting in release 8.6.4, you can configure an enhanced PIN validation feature, using the security pin trivialcheck command.
This feature enforces additional validations for a new PIN requested by a user. When the feature is not enabled, a smaller set of validations is enforced.
|
|
Enforced when PIN trivialcheck enabled
|
PIN cannot contain any other characters other than digits from 0 to 9. |
Y |
Y |
PIN cannot contain digits less than the minimum length of PIN configured. |
Y |
Y |
PIN cannot contain more than maximum length for PIN: 16 digits. |
Y |
Y |
Previous n number of PINs cannot be reused if history depth is set to n. |
Y |
Y |
The PIN cannot match the numeric representation of the first or last name of the user. |
|
Y |
The PIN cannot contain the primary or alternate phone extensions of the user. |
|
Y |
The PIN cannot contain the reverse of the primary or alternate phone extensions of the user. |
|
Y |
The PIN cannot contain groups of repeated digits, such as "408408" or "123123." |
|
Y |
The PIN cannot contain only two different digits, such as “121212.” |
|
Y |
A digit cannot be used more than two times consecutively, such as “28883.” |
|
Y |
The PIN cannot be an ascending or descending group of digits, such as “012345” or “987654.” |
|
Y |
The PIN cannot contain a group of numbers that are dialed in a straight line on the keypad when the group of digits equals the minimum credential length that is allowed. For example, if 3 digits are allowed, the user could not use “123,” “456,” or “789” as a PIN. |
|
Y |
Prerequisites
Cisco Unity Express 8.6.4 or a later version.
Required Data for This Procedure
None.
SUMMARY STEPS
1. config t
2. security pin trivialcheck
DETAILED STEPS
|
|
|
Step 1 |
config t
|
Enters configuration mode. |
Step 2 |
security password lockout enable
se-10-0-0-0(config)# security pin trivialcheck
|
Enables the PIN trivial check validation feature. |
Configuring Password and PIN Protection Lockout Modes
Starting in release 3.0, you can use both temporary and permanent lockout for passwords and PINs to help prevent security breeches.
For permanent lockout mode, the user’s account is permanently locked after a specified number of incorrect passwords or PINs are entered. After the account is locked, only the administrator can unlock it and reset the password.
For temporary lockout mode, the user’s account is temporarily locked after a specified number of initial incorrect passwords or PINs are entered. This lockout lasts for a specified amount of time. If the maximum number of incorrect passwords or PINs is exceeded for a second time, the account is locked for twice the specified a mount of time. The lockout time continues to increase for each set of incorrect passwords or PINs until the total number of failed login attempts equals the number specified to lock the account permanently. To prevent denial-of-service attacks, the retry count is not incremented if a user tries to log in during the lockout period. If the user enters the correct password or PIN and logs in successfully, the lockout time is reset to zero. After the account is permanently locked, only the administrator can unlock it and reset the password. When the administrator unlocks the account, the retry count and disable time are also reset to zero.
To configure the behavior for permanent lockouts, specify:
- Lockout mode (set to permanent)
- Maximum number of failed login attempts allowed before the account is locked
To configure the behavior for temporary lockouts, specify:
- Lockout mode (set to temporary)
- Number of failed attempts that trigger the initial temporary lockout
- Duration of initial temporary lockout
- Number of failed attempts that will lock the account permanently
You have the following four options when using password and PIN protect:
- Password Protection with:
– Permanent Lockout
– Temporary Lockout
– Permanent Lockout
– Temporary Lockout
The corresponding procedures are documented in the following sections:
Configuring Password Protection with Permanent Lockout
Prerequisites
Cisco Unity Express 3.0 or a later version
Required Data for This Procedure
None.
SUMMARY STEPS
1. config t
2. security password lockout enable
3. security password lockout policy perm-lock
4. security password perm-lock max-attempts no_of_max_attempts
5. end
DETAILED STEPS
|
|
|
Step 1 |
config t
se-10-0-0-0# config t |
Enters configuration mode. |
Step 2 |
security password lockout enable
se-10-0-0-0(config)# security password lockout enable
|
Enables the password lockout feature. |
Step 3 |
security password lockout policy perm-lock
se-10-0-0-0(config)# security password lockout policy perm-lock
|
Sets the security mode to lock out subscribers permanently when the maximum number of failed login attempts is reached. |
Step 4 |
security password perm-lock max-attempts no_of_max_attempts
se-10-0-0-0(config)# security password perm-lock max-attempts 2
|
Specifies the maximum number of failed attempts that trigger a permanent lockout. Range is 1 to 200. |
Step 5 |
end
se-10-0-0-0(config)# end |
Returns to privileged EXEC mode. |
Configuring PIN Protection with Permanent Lockout
Prerequisites
Cisco Unity Express 3.0 or a later version
Required Data for This Procedure
None.
SUMMARY STEPS
1. config t
2. security pin lockout enable
3. security pin lockout policy perm-lock
4. security pin perm-lock max-attempts no_of_max_attempts
5. end
DETAILED STEPS
|
|
|
Step 1 |
config t
se-10-0-0-0# config t |
Enters configuration mode. |
Step 2 |
security pin lockout enable
se-10-0-0-0(config)# security pin lockout enable
|
Enables the PIN lockout feature. |
Step 3 |
security pin lockout policy perm-lock
se-10-0-0-0(config)# security pin lockout policy perm-lock
|
Sets the security mode to lock out subscribers permanently when the maximum number of failed login attempts is reached. |
Step 4 |
security pin perm-lock max-attempts no_of_max_attempts
se-10-0-0-0(config)# security pin perm-lock max-attempts 2
|
Specifies the maximum number of failed attempts that trigger a permanent lockout. |
Step 5 |
end
se-10-0-0-0(config)# end |
Returns to privileged EXEC mode. |
Configuring Password Protection with Temporary Lockout
Prerequisites
Cisco Unity Express 3.0 or a later version
Required Data for This Procedure
None.
SUMMARY STEPS
1. config t
2. security password lockout enable
3. security password lockout policy temp-lock
4. security password temp-lock max-attempts no_of_max_attempts
5. security password temp-lock init-attempts no_of_init_attempts
6. security password temp-lock duration duration
7. end
DETAILED STEPS
|
|
|
Step 1 |
config t
se-10-0-0-0# config t |
Enters configuration mode. |
Step 2 |
security password lockout enable
se-10-0-0-0(config)# security password lockout enable
|
Enables the PIN lockout feature. |
Step 3 |
security password lockout policy temp-lock
se-10-0-0-0(config)# security password lockout policy temp-lock
|
Set the security mode to lock out subscribers permanently when the maximum number of failed login attempts is reached. |
Step 4 |
security password temp-lock max-attempts no_of_max_attempts
se-10-0-0-0(config)# security password temp-lock init-attempts 8
|
Specifies the initial number of failed attempts that trigger a temporary lockout. Range is from the value of init-attempts to 200. |
Step 5 |
security password temp-lock init-attempts no_of_init_attempts
se-10-0-0-0(config)# security password temp-lock init-attempts 4
|
Specifies the initial number of failed attempts that trigger a temporary lockout. Range is between 1 and the value of max_attempt s. |
Step 6 |
security password temp-lock duration duration
se-10-0-0-0(config)# security password temp-lock duration 10
|
Specifies the initial lockout duration (in minutes) for a temporary lockout mode. The valid range is TBD. |
Step 7 |
end
se-10-0-0-0(config)# end |
Returns to privileged EXEC mode. |
Configuring PIN Protection with Temporary Lockout
Prerequisites
Cisco Unity Express 3.0 or a later version
Required Data for This Procedure
None.
SUMMARY STEPS
1. config t
2. security pin lockout enable
3. security pin lockout policy temp-lock
4. security pin temp-lock max-attempts no_of_max_attempts
5. security pin temp-lock init-attempts no_of_init_attempts
6. security pin temp-lock duration duration
7. end
DETAILED STEPS
|
|
|
Step 1 |
config t
se-10-0-0-0# config t |
Enters configuration mode. |
Step 2 |
security pin lockout enable
se-10-0-0-0(config)# security pin lockout enable
|
Enables the PIN lockout feature. |
Step 3 |
security pin lockout policy temp-lock
se-10-0-0-0(config)# security pin lockout policy temp-lock
|
Set the security mode to lock out subscribers permanently when the maximum number of failed login attempts is reached. |
Step 4 |
security pin temp-lock max-attempts no_of_max_attempts
se-10-0-0-0(config)# security pin temp-lock init-attempts 8
|
Specifies the initial number of failed attempts that trigger a temporary lockout. Range is from the value of init-attempts to 200. |
Step 5 |
security pin temp-lock init-attempts no_of_init_attempts
se-10-0-0-0(config)# security pin temp-lock init-attempts 4
|
Specifies the initial number of failed attempts that trigger a temporary lockout. Range is between 1 and the value of max_attempt s. |
Step 6 |
security pin temp-lock duration duration
se-10-0-0-0(config)# security pin temp-lock duration 10
|
Specifies the initial lockout duration (in minutes) for a temporary lockout mode. The valid range is TBD |
Step 7 |
end
se-10-0-0-0(config)# end |
Returns to privileged EXEC mode. |
Configuring PIN and Password History
Starting in release 3.0, this feature enables the system to track previous PINs and passwords for all users and prevent users from reusing old PINs or passwords. You can configure the depth of the PIN or the password history using either the GUI or CLI.
This section contains these procedures:
Configuring the Password History Depth
Prerequisites
Cisco Unity Express 3.0 or a later version
Required Data for This Procedure
None.
SUMMARY STEPS
1. config t
2. security password history depth depth
3. end
DETAILED STEPS
|
|
|
Step 1 |
config t
se-10-0-0-0# config t |
Enters configuration mode. |
Step 2 |
security password history depth depth
se-10-0-0-0(config)# security password history depth 6
|
Forces all users to choose a password that is not in their password history list. |
Step 3 |
end
se-10-0-0-0(config)# end |
Returns to privileged EXEC mode. |
Configuring the PIN History Depth
Prerequisites
Cisco Unity Express 3.0 or a later version
Required Data for This Procedure
None.
SUMMARY STEPS
1. config t
2. security pin history depth depth
3. end
DETAILED STEPS
|
|
|
Step 1 |
config t
se-10-0-0-0# config t |
Enters configuration mode. |
Step 2 |
security pin history depth depth
se-10-0-0-0(config)# security pin history depth 6
|
Forces all users to choose a PIN that is not in their password history list. |
Step 3 |
end
se-10-0-0-0(config)# end |
Returns to privileged EXEC mode. |
Displaying Password and PIN System Settings
Use the following Cisco Unity Express EXEC mode command to display the password and PIN settings:
show security detail
The command output can look similar to the following:
se-10-0-0-0# show security detail
Password Length (max): 32
The following example shows the values when password expiration and the PIN length are reset to the system default values:
se-10-0-0-0# show security detail
Password Length (max): 32
To display PINless voicemail settings, use the following Cisco Unity Express EXEC mode command:
show voicemail detail mailbox [ owner ]
This command will produce output similar to the following, showing one of the three options displayed below:
se-10-0-0-0# show voicemail detail mailbox cjwhite
Owner: /sw/local/users/cjwhite
Allow login without pin: [no |
yes - from subscriber's phone numbers |
yes - from any phone number]
Mailbox Size (seconds): 3000
Message Size (seconds): 60
Created/Last Accessed: Jun 05 2007 17:06:07 PDTumber: 1
Encrypting PINs in Backup Files
Before release 3.0, PINs were stored as clear text in LDAP and were therefore visible in the backup file. This is because user PINs are stored in LDAP, which is backed up in LDIF format. This feature applies SHA-1 hash encryption to PINs before storing them in the LDAP database. As a result, when a user logs in to voice mail, the PIN they submit is hashed and compared to the PIN attribute retrieved from the LDAP directory.
To migrate from earlier version, you must convert from a clear PIN to a hashed PIN in the LDAP directory. Typically, you do this immediately after a system upgrade from an earlier version or after a restore operation from an old backup. At this point, the clear PIN is removed from the database and replaced with the encrypted PIN.
Because encryption using SHA-1 is not reversible, after the conversion is complete, you cannot disable or turn off this feature to restore the encrypted PIN to its clear form.
Note This feature does not require any configuration using the GUI or CLI.