Authentication Management

User Authentication

When signing in to the user interfaces, the credentials of the user can be authenticated based on user credentials in:

The internal system database
An LDAP-based external authentication server
A SAML-based identity management server

Administrator users are users that are able to sign in to the administrator interface. Presence of an administrator interface means that a system user instance exists.

Subscribers are system users that have, and are linked to, user accounts in one or more UC applications. Subscriber management supports the management of UC application user accounts that in turn may also be configured for local, LDAP or SAML authentication.

API users are system users that connect directly to Cisco Unified Communications Domain Manager using the API. The system controls access to its service through HTTP basic authentication. The technique is defined in section 11.1 of RFC1945.

Credential Policies

Cisco Unified Communications Domain Manager helps secure user accounts by authenticating user sign-in credentials before allowing system access. Administrators can specify settings for, among other things, failed sign-in attempts, lockout durations, password reset questions, and so on. The number of questions in the Password Reset Question Pool must be equal to (or more than) the number set in the Number of Questions Asked During Password Reset field. Collectively, these rules form a credential policy, which can be applied at any hierarchy level, and determine user sign-in behavior at that specific level.

A credential policy is not mandatory at specific levels in the hierarchy. However, a default credential policy is provided at the sys.hcs level. Administrators at lower levels can copy and edit this default policy if necessary. Administrators can also save it at their own hierarchy level so that it can be applied to the associated users at that level. If the administrators at the various levels do not create a credential policy at their level, it is inherited from the closest level above them. If a Provider Administrator has defined a credential policy, but a Customer Administrator has not, the customer automatically inherits the credential policy from the Provider. A different credential policy can also be defined for each user.

For each administrator user where IP address throttling (sign-in Limiting per Source) is required, manually create and assign a credential policy. The credential policy must have IP address, and username and email throttling enabled.

The credential policy can be used to manage such password features as:

The number of days from the date of creation for which a password can not be reused. The default is 15.
The number of character changes (inserts, removals, or replacements) that a password should have from a previous password. The default is 0 (disabled).
The number of days within which a user’s password cannot be changed. The default set to 0, which means that this re-use option is disabled.
The number of days can be set from 1 to a maximum value of 365 days (24 hour units from the activation time). This Minimum Password Age value only applies:
- to users changing their own password
- to users if an administrator resets or changes of the user’s password, and does not enable the Change Password on Next Login option for the user.
In other words, if an administrator resets or changes the user’s password, and enables the user’s Change Password on Next Login option, the value is not affected.

The default credential policy is defined at the sys.hcs level.

Note

Credential Policies are not applicable for SSO authenticated users. For LDAP Synched users, only the session timeouts are applicable.

See "Assign a Credential Policy to a User" in the User Management Chapter of Cisco Unified Communications Domain Manager 10.6(3) Maintain and Operate Guide for information on how to configure a credential policy for a specific user and "Credential Policies Rate Limiting" in the Troubleshooting User Access chapter of Cisco Unified Communications Domain Manager Version 10.6(3) Troubleshooting Guide for more details on rate limiting of failed login attempts.

The table below illustrates the conditions that credential policy rules apply:


	Data/User	Data/Credential Policy
		Generic Password Validation		User Specific Password Validation
Condition	Change Password on Next Login	Minimum Password Length	Password Reuse Time Limit	Number of Different Password Characters	Minimum Password Age (days)
Admin changes user’s password	N/A	applied	applied	not applied	not applied
User changes own password	Enabled	applied	applied	applied	not applied
User changes own password	Disabled	applied	applied	applied	applied

Field Reference for Data/CredentialPolicy

Table 1.
Name
Field Name	name
Description	Credential policy name
Type	String
Idle Session Timeout (minutes)
Field Name	idle_session_timeout
Description	Defines the number of minutes a session will remain active in case there is no activity in the session.
Type	Integer
Default	20
Absolute Session Timeout (minutes)
Field Name	absolute_session_timeout
Description	Defines the maximum number of minutes a session can be active. A value of 0 disables absolute session timeout.
Type	Integer
Default	1440
Password Expires (months) *
Field Name	password_expires
Description	The interval at which the password expires, in months.
Type	String
Default	6
Choices	[”Never Expire”, “3”, “4”, “5”, “6”, “7”, “8”, “9”, “10”, “11”, “12”]
User Must Change Password on First Login
Field Name	change_password_on_first_login
Description	Indicates that users must be forced to change password on the first login
Type	Boolean
Lock Duration (minutes)
Field Name	failed_login_lock_duration
Description	The number of minutes that a user account must be locked for after the failed password attempts have reached the threshold.
Type	Integer
Default	30
Disable Failed Login Limiting per User
Field Name	disable_failed_login_limiting_per_user
Description	Disable failed login limiting per user.
Type	Boolean
Disable Failed Login User Account
Field Name	disable_failed_login_user_account
Description	Enabling this field will result in user account being disabled if failed login attempt reaches ‘Failed Login Count per User’ within ‘Reset Failed Login Count per User (minutes)’. This field is disabled by default.
Type	Boolean
Failed Login Count per User
Field Name	failed_login_count_per_user
Description	The maximum number of failed login attempts for a given user. This is also referred to as the burst size.
Type	Integer
Default	20
Reset Failed Login Count per User (minutes)
Field Name	reset_failed_login_count_per_user
Description	The number of minutes before the counter is reset for failed login attempts for a given user. This is typically the interval within which a single failure is permitted, also referred to as the permitted longterm rate of failure.
Type	Integer
Default	5
Disable Failed Login Limiting per Source
Field Name	disable_failed_login_limiting_per_source
Description	Disable failed login limiting per source.
Type	Boolean
Failed Login Count per Source
Field Name	failed_login_count_per_source
Description	The maximum number of failed login attempts for a given source IP address. This is also referred to as the burst size.
Type	Integer
Default	10
Reset Failed Login Count per Source (minutes)
Field Name	reset_failed_login_count_per_source
Description	The number of minutes before the counter is reset for failed login attempts for a given source. This is typically the interval within which a single failure is permitted, also referred to as the permitted long-term rate of failure.
Type	Integer
Default	10
Number of Questions Asked During Password Reset
Field Name	password_reset_questions_number
Description	Determines the number of questions asked during a password reset. The number should be less than or equal to number of entries in Reset Question Pool if custom question are not allowed
Default	Integer
Password Reset Question Pool
Field Name	password_reset_questions.password_reset_questions.[n]
Description	List of question from which password reset questions are drawn.
Type	Array
Password Reuse Time Limit
Field Name	password_reuse_time_limit
Description	Period (number of days) from time of creation for which a password can not be reused. Defaults to 15 days. Only values between 0-365 (inclusive) are allowed. A 0 (zero) value means that password reuse time limit does not apply.
Type	Integer
Default	15
Minimum Password Length
Field Name	minimum_password_length
Description	Minimum length (number of characters) for password.
Type	Integer
Default	8
Enable Password Complexity Validation
Field Name	enable_password_complexity_validation
Description	Enable password complexity validation, defaults to False. When set to True, passwords shall be validated against the password complexity rules.
Type	Boolean
Inactive days before disabling user account
Field Name	inactive_days_before_disabling_user
Description	The number of days a user can be inactive before disabling the account. With a value of 0 no checks are done.
Type	Integer
Session Login Limit Per User
Field Name	session_login_limit_per_user
Description	The maximum number of concurrent login sessions permitted for a user. A zero (0) value means that user login sessions should not be restricted.
Type	Integer
Number of Different Password Characters
Field Name	num_different_password_characters
Description	The minimum number of character changes (inserts, removals, or replacements) required between the old and new passwords.
Type	Integer
Minimum Password Age (days)
Field Name	minimum_password_age
Description	The number of days within which a user cannot change their password. A zero (0) value means that password age validation is disabled.
Type	Integer

Standard Users and Sign-in

When creating a system user that uses the standard authorization method, the password is stored in the internal system database. Cisco Unified Communications Domain Manager uses the PBKDF2 algorithm with an SHA256 hash, a key stretching mechanism recommended by the National Institute of Standards Technology (NIST), Computer Security Resource Center (CSRC).

When signing in as a standard user, go to the URL:

http://{hostname}/login

A sign-in page theme can be applied to the sign-in page during the log in process by adding the suffix '?theme={theme_name} where {theme_name} is an available theme. For example: http://{hostname}/login/?theme=default

When signing in, the username can be entered in either of the following formats:

{username}@hierarchy or {email address}

The hierarchy is in dot notation and corresponds with the hierarchy to which the user belongs. The hierarchy level is the level at which the user is created.

The hierarchy on the log in form is prefixed with sys.

For example: johndoe@sys.VS-OPS.VS-Corp.Chicago

LDAP Users and Sign-in

When creating a system user using the LDAP authorization method, specify the LDAP server and the LDAP username. The LDAP username corresponds to the sign-in Attribute Name specified in the LDAP network connection.

When signing in as an LDAP user, go to the URL:

http://{host name}/login

Regardless of the sign-in Attribute Name specified in the LDAP network connection, the user email address can be used to log in.

When signing in with LDAP credentials, the username is in the format:

{user ID}[@hierarchy]

Note:

@hierarchy is not required when the user ID corresponds to the user's email address.
{user ID} corresponds to the sign-in attribute name (for example email address, user principal name, sAMaccountName). The sign-in attribute name is configured in the Authentication attribute of the LDAP device connection associated with this hierarchy.
The hierarchy is in dot notation and corresponds with the hierarchy to which the user belongs. The hierarchy level is the level at which the user is created.

SSO Users and Login

When creating a system user using the SSO authorization method, the SSO Identity Provider must be specified and the SSO username.

Cisco Unified Communications Domain Manager 11.5(3) Planning and Install Guide

Bias-Free Language

Book Title

Cisco Unified Communications Domain Manager 11.5(3) Planning and Install Guide

Chapter Title