The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Contents
This chapter provides information about Cisco Unified Communications Manager credential policy which authenticates user login credentials before allowing system access. To help secure user accounts, you can specify settings for failed logon attempts, lockout durations, password expirations, and password requirements in Cisco Unified Communications Manager Administration. These authentication rules form a credential policy.
Credential policies apply to application users and end users. You assign a password policy to end users and application users and a PIN policy to end users. The Credential Policy Default Configuration lists the policy assignments for these groups.
At installation, Cisco Unified Communications Manager assigns a static Default Credential Policy to user groups. It does not provide default credentials. The Credential Policy Default Configuration window in Cisco Unified Communications Manager Administration provides options to assign new default policies and to configure new default credentials and credential requirements for users.
Note | The system does not support empty (null) credentials. If your system uses LDAP authentication, you must configure end user default credentials immediately after installation, or logins fail. |
When you add a new user to the Cisco Unified Communications Manager database, the system assigns the default policy. You can change the assigned policy and manage user authentication events with the Edit Credentials button in the user configuration window.
Cisco Unified Communications Manager authenticates user login credentials before allowing system access. To help secure user accounts, you can specify settings for failed logon attempts, lockout durations, password expirations, and password requirements in Cisco Unified Communications Manager Administration. These authentication rules form a credential policy.
Credential policies apply to application users and end users. You assign a password policy to end users and application users and a PIN policy to end users. The Credential Policy Default Configuration lists the policy assignments for these groups.
At installation, Cisco Unified Communications Manager assigns a static Default Credential Policy to user groups. It does not provide default credentials. The Credential Policy Default Configuration window in Cisco Unified Communications Manager Administration provides options to assign new default policies and to configure new default credentials and credential requirements for users.
Note | The system does not support empty (null) credentials. If your system uses LDAP authentication, you must configure end user default credentials immediately after installation, or logins fail. |
When you add a new user to the Cisco Unified Communications Manager database, the system assigns the default policy. You can change the assigned policy and manage user authentication events with the Edit Credentials button in the user configuration window.
The general steps and guidelines for configuring credential policies are as follows.
The authentication function in Cisco Unified Communications Manager authenticates users, updates credential information, tracks and logs user events and errors, records credential change histories, and encodes/decodes or encrypts/decrypts user credentials for data storage.
The system always authenticates application user passwords and end user PINs against the Cisco Unified Communications Manager database. The system can authenticate end user passwords against the corporate directory or the Cisco Unified Communications Manager database.
If your system is synchronized with the corporate directory, either the authentication function in Cisco Unified Communications Manager or LDAP can authenticate the password.
With LDAP authentication enabled, user passwords and credential policies that are configured in Cisco Unified Communications Manager Administration do not apply. These defaults get applied to users that are created with directory synchronization (DirSync service).
When LDAP authentication is disabled, the system authenticates user credentials against the Cisco Unified Communications Manager database. With this option, administrators can assign credential policies, manage authentication events, and administer passwords. End users can change passwords and PINs at the phone user pages.
See the Directory Overview for more information about LDAP authentication.
Credential policies do not apply to OS users or CLI users. These administrators use standard password verification procedures that the OS supports. See the Cisco Unified Communications Operating System Administration Guide for information about OS login procedures.
To improve performance, administrators can configure the Enable Caching enterprise parameter to True. With this parameter enabled, Cisco Unified Communications Manager uses cached credentials for up to 2 minutes. This configuration increases system efficiency, because Cisco Unified Communications Manager does not have to perform a database lookup or invoke a stored procedure for every single login request. An associated credential policy is not enforced until the caching duration expires.
This setting applies to all Java applications that invoke user authentication. Setting the enterprise parameter to False turns off caching, so the system does not use cached credentials for authentication. The system ignores this setting for LDAP authentication. Credential caching requires a minimal amount of additional memory per user.
The Bulk Administration Tool (BAT) allows administrators to define common credential parameters, such as passwords and PINs, for a group of users in the BAT User Template. When you first create a user template, all the users are assigned the static Default Credential Policy.
Because the Cisco Unified Communications Manager Java telephony applications programming interface (JTAPI) and telephony applications programming interface (TAPI) support the credential policies that are assigned to application users, developers must create applications that respond to the password expiration, PIN expiration, and lockout return codes for credential policy enforcement.
Applications use an API to authenticate with the database or corporate directory, regardless of the authentication model that an application uses.
For more information about JTAPI and TAPI for developers, see the developer guides at http://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-programming-reference-guides-list.html.
After users are configured in the database, the system stores a history of user credentials in the database to prevent users from entering previous information when users are prompted to change their credentials.
You can monitor and manage authentication activity for a user at the user Credential Configuration page, which is accessed with the Edit Credentials button in the user configuration windows. The system shows the most current authentication results, such as last hack attempt time, and counts for failed logon attempts.
See Directory Overview for more information.
The system generates log file entries for the following credential policy events:
Authentication success
Authentication failure (bad password or unknown)
Authentication failure due to
Successful user credential updates
Failed user credential updates
Note | If you use LDAP authentication for end user passwords, LDAP tracks only authentication successes and failures. |
All event messages contain the string "ims-auth" and the userid that is attempting authentication.
You can view log files with the Cisco Unified Real-Time Monitoring Tool. You can also collect captured events into reports.