Advanced Configuration

This chapter describes advanced configuration procedures for modifying application parameters after the initial installation and configuration process described in the “” section. That earlier chapter includes commands not described in this chapter.

The advanced configuration procedures include:

Configuring the Hostname

During the software postinstallation process, the hostname was configured. Use this procedure to change the hostname.

note.gif

Noteblank.gif For 10.2.1 release, once you change the hostname, perform reload to view the updated Product Instance Name in License Summary.


SUMMARY STEPS

1.blank.gif config t

2.blank.gif hostname hostname

3.blank.gif exit

4.blank.gif show hosts

5.blank.gif copy running-config startup-config

DETAILED STEPS

 

Command or Action
Purpose

Step 1

config t

 

se-10-0-0-0# config t

Enters configuration mode.

Step 2

hostname hostname

 

se-10-0-0-0(config)# hostname mainhost

mainhost(config)#

Specifies the hostname that identifies the local Cisco Unity Express system. Do not include the domain name as part of the hostname.

The Cisco Unity Express prompt changes to reflect the hostname. If you do not enter a hostname, the prompt is formed using “se” and the IP address of the Cisco Unity Express network module.

Step 3

exit

 

mainhost(config)# exit

Exits configuration mode.

Step 4

show hosts

 

mainhost# show hosts

Displays the local hostname and DNS servers configured on the system.

Step 5

copy running-config startup-config

 

mainhost# copy running-config startup-config

Copies the configuration changes to the startup configuration.

Examples

The following commands configure the hostname:

se-10-0-0-0# config t
se-10-0-0-0(config)# hostname mainhost
ca-west(config)# exit
ca-west#
 

The output from the show hosts command might look similar to the following:

ca-west# show hosts
 
Hostname: mainhost
Domain: myoffice
DNS Server1: 10.100.10.130
DNS Server2: 10.5.0.0
ca-west#

Configuring the DNS Server

During the software postinstallation process, the DNS server and IP addresses may have been configured. Use this procedure to change the server name and IP addresses.

SUMMARY STEPS

1.blank.gif config t

2.blank.gif ip domain-name dns-server-name

3.blank.gif ip name-server ip-address [ ip-address ] [ ip-address ] [ ip-address ]

4.blank.gif exit

5.blank.gif show hosts

6.blank.gif copy running-config startup-config

DETAILED STEPS

 

Command or Action
Purpose

Step 1

config t

 

se-10-0-0-0# config t

Enters configuration mode.

Step 2

ip domain-name dns-server-name

 

se-10-0-0-0(config)# ip domain-name mycompany.com

Specifies the domain name of the DNS server.

Step 3

ip name-server ip-address [ ip-address ] [ ip-address ] [ ip-address ]

 

se-10-0-0-0(config)# ip name-server 192.168.0.5

 

se-10-0-0-0(config)# ip name-server 192.168.0.5 192.168.0.10 192.168.0.12 192.168.0.20

Specifies up to four IP addresses for the DNS server.

Step 4

exit

 

se-10-0-0-0(config)# exit

Exits configuration mode.

Step 5

show hosts

 

se-10-0-0-0# show hosts

Displays the IP route destinations, gates, and masks.

Step 6

copy running-config startup-config

 

se-10-0-0-0# copy running-config startup-config

Copies the configuration changes to the startup configuration.

Examples

The following commands configure the DNS server:

se-10-0-0-0# config t
se-10-0-0-0(config)# ip domain-name mycompany
se-10-0-0-0(config)# ip name-server 10.100.10.130 10.5.0.0
se-10-0-0-0(config)# exit
se-10-0-0-0#
 

The output from the show hosts command might look similar to the following:

se-10-0-0-0# show hosts
 
Hostname: se-10-100-6-10
Domain: mycompany
DNS Server1: 10.100.10.130
se-10-0-0-0#
 

Configuring NTP Servers

During the software postinstallation process, the Network Time Protocol (NTP) server may have been configured. Cisco Unity Express accepts a maximum of three NTP servers. Use this procedure to add or delete NTP servers.

Adding NTP Servers

You can designate an NTP server using its IP address or its hostname.

Cisco Unity Express uses the DNS server to resolve the hostname to an IP address and stores the IP address as an NTP server. If DNS resolves the hostname to more than one IP address, Cisco Unity Express randomly chooses one of the IP addresses that is not already designated as an NTP server.

To configure an NTP server with multiple IP addresses for a hostname, repeat the configuration steps using the same hostname. Each iteration assigns the NTP server to its remaining IP addresses.

SUMMARY STEPS

1.blank.gif config t

2.blank.gif ntp server { hostname | ip-address } [ prefer ]

3.blank.gif exit

4.blank.gif show ntp status

5.blank.gif show ntp servers

6.blank.gif show ntp source

7.blank.gif show ntp association

8.blank.gif copy running-config startup-config

DETAILED STEPS

 

Command or Action
Purpose

Step 1

config t

 

se-10-0-0-0# config t

Enters configuration mode.

Step 2

ntp server { hostname | ip-address } [ prefer ]

 

se-10-0-0-0(config)# ntp server 10.0.3.4

se-10-0-0-0(config)# ntp server 10.0.10.20 prefer

Specifies the name or IP address of the NTP server.

If more than one server is configured, the server with the prefer attribute is used first.

Step 3

exit

 

se-10-0-0-0(config)# exit

Exits configuration mode.

Step 4

show ntp status

 

se-10-0-0-0# show ntp status

Displays the NTP subsystem status.

Step 5

show ntp servers

 

se-10-0-0-0# show ntp servers

Displays a list of Network Time Protocol (NTP) servers and their current states.

Step 6

show ntp source

 

se-10-0-0-0# show ntp source

Displays the time source for a Network Time Protocol (NTP) server.

Step 7

show ntp association

 

se-10-0-0-0# show ntp association

Displays the association identifier and status for all Network Time Protocol (NTP) servers.

Step 8

copy running-config startup-config

 

se-10-0-0-0# copy running-config startup-config

Copies the configuration changes to the startup configuration.

Examples

The following commands configure the NTP server:

se-10-0-0-0# config t
se-10-0-0-0(config)# ntp server 10.100.6.9
se-10-0-0-0(config)# exit
se-10-0-0-0#
 

The following shows sample output from the show ntp status command:

se-10-0-0-0# show ntp status
 
NTP reference server 1: 10.100.6.9
Status: sys.peer
Time difference (secs): 3.268110099434328E8
Time jitter (secs): 0.1719226837158203
se-10-0-0-0#

 

The following shows sample output from the show ntp servers command:

se-10-0-0-0# show ntp servers
 
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.100.10.65 127.127.7.1 8 u 933 1024 377 0.430 -1.139 0.158
space reject, x falsetick,. excess, - outlyer
+ candidate, # selected, * sys.peer, o pps.peer

 

The following shows sample output from the show ntp source command:

se-10-0-0-0# show ntp source
 
127.0.0.1: stratum 9, offset 0.000015, synch distance 0.03047
10.100.10.65: stratum 8, offset -0.001124, synch distance 0.00003

 

The following shows sample output from the show ntp association command:

se-10-0-0-0# show ntp associations
 
ind assID status conf reach auth condition last_event cnt
===========================================================
1 37773 9624 yes yes none sys.peer reachable 2

 

The following example configures an NTP server with a hostname that points to two IP addresses 172.16.10.1 and 172.16.10.2:

se-10-0-0-0# config t
se-10-0-0-0(config)# ntp server NTP.mine.com
se-10-0-0-0(config)# exit
se-10-0-0-0#
 
se-10-0-0-0# config t
se-10-0-0-0(config)# ntp server NTP.mine.com
se-10-0-0-0(config)# exit
se-10-0-0-0#
 

The following shows sample output from the show ntp status command:

se-10-0-0-0# show ntp status
 
NTP reference server 1: 172.16.10.1
Status: sys.peer
Time difference (secs): 3.268110099434328E8
Time jitter (secs): 0.1719226837158203
 
NTP reference server 1: 172.16.10.2
Status: sys.peer
Time difference (secs): 3.268110099434328E8
Time jitter (secs): 0.1719226837158203
se-10-0-0-0#

Removing an NTP Server

Remove an NTP server using its IP address or hostname.

SUMMARY STEPS

1.blank.gif config t

2.blank.gif no ntp server { hostname | ip-address }

3.blank.gif exit

4.blank.gif show ntp status

5.blank.gif show ntp configuration

6.blank.gif copy running-config startup-config

DETAILED STEPS

 

Command or Action
Purpose

Step 1

config t

 

se-10-0-0-0# config t

Enters configuration mode.

Step 2

no ntp server { hostname | ip-address }

 

se-10-0-0-0(config)# no ntp server 10.0.3.4

se-10-0-0-0(config)# no ntp server myhost

Specifies the hostname or IP address of the NTP server to remove.

Step 3

exit

 

se-10-0-0-0(config)# exit

Exits configuration mode.

Step 4

show ntp status

 

se-10-0-0-0# show ntp status

Displays the NTP subsystem status.

Step 5

show ntp configuration

 

se-10-0-0-0# show ntp configuration

Displays the configured NTP servers.

Step 6

copy running-config startup-config

 

se-10-0-0-0# copy running-config startup-config

Copies the configuration changes to the startup configuration.

Displaying NTP Server Information

The following commands are available to display NTP server configuration information and status:

  • show ntp associations
  • show ntp servers
  • show ntp source
  • show ntp status

The following is sample output for the show ntp associations command:

se-10-0-0-0# show ntp associations
 
ind assID status conf reach auth condition last_event cnt
===========================================================
1 61253 8000 yes yes none reject
 

The following is sample output for the show ntp servers command:

se-10-0-0-0# show ntp servers
 
remote refid st t when poll reach delay offset jitter
==============================================================================
10.100.6.9 0.0.0.0 16 u - 1024 0 0.000 0.000 4000.00
space reject, x falsetick,. excess, - outlyer
+ candidate, # selected, * sys.peer, o pps.peer
 

The following is sample output for the show ntp source command:

se-10-0-0-0# show ntp source
 
192.168.0.1: stratum 16, offset 0.000013, synch distance 8.67201
0.0.0.0: *Not Synchronized*
 

The following is sample output for the show ntp status command:

se-10-0-0-0# show ntp status
 
NTP reference server : 10.100.6.9
Status: reject
Time difference (secs): 0.0
Time jitter (secs): 4.0

Configuring a Syslog Server

Cisco Unity Express captures messages that describe activities in the system. These messages are collected and directed to a messages.log file on the Cisco Unity Express module hard disk, the console, or an external system log (syslog) server. The messages.log file is the default destination.

This section describes the procedure for configuring an external server to collect the messages. To view the messages, see “Viewing System Activity Messages” section.

Required Data for This Procedure

You need the hostname or IP address of the designated log server.

SUMMARY STEPS

1.blank.gif config t

2.blank.gif log server address { hostname | ip-address }

3.blank.gif exit

4.blank.gif show running-config

DETAILED STEPS

 

Command or Action
Purpose

Step 1

config t

 

se-10-0-0-0# config t

Enters configuration mode.

Step 2

log server address { hostname | ip-address }

 

se-10-0-0-0(config)# log server address 10.187.240.31

se-10-0-0-0(config)# log server address logpc

Specifies the hostname or IP address of the NTP server designated as the log server.

Step 3

exit

 

se-10-0-0-0(config)# exit

Exits configuration mode.

Step 4

show running-config

 

se-10-0-0-0# show running-config

Displays the system configuration, which includes the configured log server.

Examples

The output from the show running-config command might look similar to the following:

se-10-0-0-0# show running-config
 
clock timezone America/Los_Angeles
 
hostname se-10-0-0-0
 
ip domain-name localdomain
 
ntp server 10.100.60.1
.
.
.
log server address 10.100.10.210
 
voicemail default mailboxsize 3000
voicemail capacity time 6000
 
end

Configuring the Clock Time Zone

During the software postinstallation process, the time zone of the local Cisco Unity Express module was configured. Use this procedure to change the module’s time zone.

Cisco Unity Express automatically updates the clock for daylight savings time on the basis of the selected time zone.

SUMMARY STEPS

1.blank.gif config t

2.blank.gif clock timezone timezone

3.blank.gif exit

4.blank.gif show clock detail

5.blank.gif copy running-config startup-config

DETAILED STEPS

 

Command or Action
Purpose

Step 1

config t

 

se-10-0-0-0# config t

Enters configuration mode.

Step 2

clock timezone timezone

 

se-10-0-0-0(config)# clock timezone America/Los_Angeles

Specifies the local time zone. To enter a value for the timezone argument, you must know the phrase that represents your time zone.

If you do know the phrase, press <Enter>. A series of menus will appear to help you choose the time zone.

Step 3

exit

 

se-10-0-0-0(config)# exit

Exits configuration mode.

Step 4

show clock detail

 

se-10-0-0-0# show clock detail

Displays the time zone, clocking resolution, and current clock time.

Step 5

copy running-config startup-config

 

se-10-0-0-0# copy running-config startup-config

Copies the configuration changes to the startup configuration.

Examples

The following commands configure the clock time zone:

se-10-0-0-0# config t
se-10-0-0-0(config)# clock timezone
 
Please identify a location so that time zone rules can be set correctly.
Please select a continent or ocean.
1) Africa 4) Arctic Ocean 7) Australia 10) Pacific Ocean
2) Americas 5) Asia 8) Europe
3) Antarctica 6) Atlantic Ocean 9) Indian Ocean
#? 2
Please select a country.
1) Anguilla 18) Ecuador 35) Paraguay
2) Antigua & Barbuda 19) El Salvador 36) Peru
3) Argentina 20) French Guiana 37) Puerto Rico
4) Aruba 21) Greenland 38) St Kitts & Nevis
5) Bahamas 22) Grenada 39) St Lucia
6) Barbados 23) Guadeloupe 40) St Pierre & Miquelon
7) Belize 24) Guatemala 41) St Vincent
8) Bolivia 25) Guyana 42) Suriname
9) Brazil 26) Haiti 43) Trinidad & Tobago
10) Canada 27) Honduras 44) Turks & Caicos Is
11) Cayman Islands 28) Jamaica 45) United States
12) Chile 29) Martinique 46) Uruguay
13) Colombia 30) Mexico 47) Venezuela
14) Costa Rica 31) Montserrat 48) Virgin Islands (UK)
15) Cuba 32) Netherlands Antilles 49) Virgin Islands (US)
16) Dominica 33) Nicaragua
17) Dominican Republic 34) Panama
#? 45
Please select one of the following time zone regions.
1) Eastern Time
2) Eastern Time - Michigan - most locations
3) Eastern Time - Kentucky - Louisville area
4) Eastern Standard Time - Indiana - most locations
5) Central Time
6) Central Time - Michigan - Wisconsin border
7) Mountain Time
8) Mountain Time - south Idaho & east Oregon
9) Mountain Time - Navajo
10) Mountain Standard Time - Arizona
11) Pacific Time
12) Alaska Time
13) Alaska Time - Alaska panhandle
14) Alaska Time - Alaska panhandle neck
15) Alaska Time - west Alaska
16) Aleutian Islands
17) Hawaii
#? 11
 
The following information has been given:
 
United States
Pacific Time
 
Therefore TZ='America/Los_Angeles' will be used.
Local time is now: Tue Jul 18 02:02:19 PDT 2006.
Universal Time is now: Tue Jul 18 09:02:19 UTC 2006.
Is the above information OK?
1) Yes
2) No
#? 1
Save the change to startup configuration and reload the module for the new timezone to take effect.
se-10-0-0-0(config)# end
se-10-0-0-0#
 

The output from the show clock detail command might look similar to the following:

se-10-0-0-0# show clock detail
 
19:20:33.724 PST Wed Feb 4 2004
time zone: America/Pacific
clock state: unsync
delta from reference (microsec): 0
estimated error (microsec): 175431
time resolution (microsec): 1
clock interrupt period (microsec): 10000
time of day (sec): 732424833
time of day (microsec): 760817
 

Configuring Password and PIN Parameters

Cisco Unity Express supports the configuration of the password and personal identification number (PIN) parameters described in the following sections:

note.gif

Noteblank.gif If you change a Cisco Unified CME user’s password on Cisco Unity Express with Configure --> Users, the password for that user is updated on Cisco Unified CME. However, the reverse is not true: a user password changed on Cisco Unified CME will not be updated to Cisco Unity Express.


note.gif

Noteblank.gif For instructions on configuring PINless voicemail, see “Configuring PINless Mailbox Access” section.


Configuring Password and PIN Length and Expiry Time

Cisco Unity Express supports configuring the following two attributes of password and PIN:

  • Minimum password and PIN length

To support enhanced security procedures, Cisco Unity Express has made the password and PIN length configurable. In releases prior to Cisco Unity Express 10.2, the administrator can configure the length to a value greater than or equal to 3 alphanumeric characters. From Cisco Unity Express Release 10.2 onwards, the administrator can configure the minimum length ranging from 8 through 64 characters. There is no limit on the maximum length. This is a system-wide value, so that all subscribers must have passwords and PINs of at least that many characters. Use the GUI Defaults > User option or the procedure described below to configure this length.

The password length does not have to be equal to the PIN length. The default password length is 8 alphanumeric characters. The maximum PIN length is 16 alphanumeric characters.

To set the password or PIN length to the system default values, use the no or default form of the commands.

note.gif

Noteblank.gif If the minimum PIN length is increased, existing PINs that do not conform to the new limit will automatically expire. The subscriber must reset the PIN at the next log in to the TUI.


note.gif

Noteblank.gif The change in the minimum password length range is applicable only when a new user is created or the password of an existing user is updated. It does not apply to passwords that are already in use.


  • Password and PIN expiry time

Cisco Unity Express permits the administrator to configure the password and PIN expiry time on a system-wide basis. The expiry time is the time, in days, for which the password and PIN are valid. When this time is reached, the subscriber must enter a new password or PIN.

If this option is not configured, passwords and PINs do not expire.

Use the GUI Defaults > User option or the procedure described below to configure this time.

The password expiry time does not have to equal the PIN expiry time.

The valid range is 3 to 365 days.

To set the password or PIN expiry time to the system default values, use the no or default form of the commands.

SUMMARY STEPS

  • config t
  • security password length min password-length
  • security pin length min pin-length
  • security password expiry days password-days
  • security pin expiry days pin-days
  • exit

DETAILED STEPS

 

Command or Action
Purpose

Step 1

config t

 

se-10-0-0-0# config t

se-10-0-0-0(config)#

Enters configuration mode.

Step 2

security password length min password-length

 

se-10-0-0-0(config)# security password length min 5

Specifies the length of all subscribers’ passwords. The default minimum value is 3; the maximum value is 32.

To set the minimum password length to the system default, use the no or default form of this command.

Step 3

security pin length min pin-length

 

se-10-0-0-0(config)# security pin length min 4

Specifies the minimum length of all subscribers’ PINs. The default value is 3; the maximum value is 16.

To set the minimum PIN length to the system default, use the no or default form of this command.

Step 4

security password expiry days password-days

 

se-10-0-0-0(config)# security password expiry days 60

Specifies the maximum number of days for which subscribers’ passwords are valid. Valid values range from 3 to 365.

If this value is not configured, the passwords will not expire.

To set the password expiry time to the system default, use the no or default form of this command.

Step 5

security pin expiry days pin-days

 

se-10-0-0-0(config)# security pin expiry days 45

Specifies the maximum number of days for which subscriber’s PINs are valid. Valid values range from 3 to 365.

If this value is not configured, the PINs will not expire.

To set the PIN expiry time to the system default, use the no or default form of this command.

Step 6

exit

 

se-10-0-0-0(config)# exit

se-10-0-0-0#

Exits configuration mode.

Examples

The following example sets the password length to 6 characters, the PIN length to 5 characters, the password expiry time to 60 days, and the PIN expiry time to 45 days.

se-10-0-0-0# config t
se-10-0-0-0(config)# security password length min 6
se-10-0-0-0(config)# security pin length min 5
se-10-0-0-0(config)# security password expiry days 60
se-10-0-0-0(config)# security pin expiry days 45
se-10-0-0-0(config)# exit

Configuring Enhanced PIN Validation

Starting in release 8.6.4, you can configure an enhanced PIN validation feature, using the security pin trivialcheck command.

This feature enforces additional validations for a new PIN requested by a user. When the feature is not enabled, a smaller set of validations is enforced.

Validation
Enforced at all times
Enforced when PIN trivialcheck enabled

PIN cannot contain any other characters other than digits from 0 to 9.

Y

Y

PIN cannot contain digits less than the minimum length of PIN configured.

Y

Y

PIN cannot contain more than maximum length for PIN: 16 digits.

Y

Y

Previous n number of PINs cannot be reused if history depth is set to n.

Y

Y

The PIN cannot match the numeric representation of the first or last name of the user.

 

Y

The PIN cannot contain the primary or alternate phone extensions of the user.

 

Y

The PIN cannot contain the reverse of the primary or alternate phone extensions of the user.

 

Y

The PIN cannot contain groups of repeated digits, such as "408408" or "123123."

 

Y

The PIN cannot contain only two different digits, such as “121212.”

 

Y

A digit cannot be used more than two times consecutively, such as “28883.”

 

Y

The PIN cannot be an ascending or descending group of digits, such as “012345” or “987654.”

 

Y

The PIN cannot contain a group of numbers that are dialed in a straight line on the keypad when the group of digits equals the minimum credential length that is allowed. For example, if 3 digits are allowed, the user could not use “123,” “456,” or “789” as a PIN.

 

Y

Prerequisites

Cisco Unity Express 8.6.4 or a later version.

Required Data for This Procedure

None.

SUMMARY STEPS

1.blank.gif config t

2.blank.gif security pin trivialcheck

DETAILED STEPS

 

Command or Action
Purpose

Step 1

config t

 
se-10-0-0-0# config t

Enters configuration mode.

Step 2

security password lockout enable

 
se-10-0-0-0(config)# security pin trivialcheck

Enables the PIN trivial check validation feature.

Configuring Password and PIN Protection Lockout Modes

Starting in release 3.0, you can use both temporary and permanent lockout for passwords and PINs to help prevent security breeches.

For permanent lockout mode, the user’s account is permanently locked after a specified number of incorrect passwords or PINs are entered. After the account is locked, only the administrator can unlock it and reset the password.

For temporary lockout mode, the user’s account is temporarily locked after a specified number of initial incorrect passwords or PINs are entered. This lockout lasts for a specified amount of time. If the maximum number of incorrect passwords or PINs is exceeded for a second time, the account is locked for twice the specified a mount of time. The lockout time continues to increase for each set of incorrect passwords or PINs until the total number of failed login attempts equals the number specified to lock the account permanently. To prevent denial-of-service attacks, the retry count is not incremented if a user tries to log in during the lockout period. If the user enters the correct password or PIN and logs in successfully, the lockout time is reset to zero. After the account is permanently locked, only the administrator can unlock it and reset the password. When the administrator unlocks the account, the retry count and disable time are also reset to zero.

To configure the behavior for permanent lockouts, specify:

  • Lockout mode (set to permanent)
  • Maximum number of failed login attempts allowed before the account is locked

To configure the behavior for temporary lockouts, specify:

  • Lockout mode (set to temporary)
  • Number of failed attempts that trigger the initial temporary lockout
  • Duration of initial temporary lockout
  • Number of failed attempts that will lock the account permanently

You have the following four options when using password and PIN protect:

  • Password Protection with:

blank.gif Permanent Lockout

blank.gif Temporary Lockout

  • PIN Protection with:

blank.gif Permanent Lockout

blank.gif Temporary Lockout

The corresponding procedures are documented in the following sections:

Configuring Password Protection with Permanent Lockout

Prerequisites

Cisco Unity Express 3.0 or a later version

Required Data for This Procedure

None.

SUMMARY STEPS

1.blank.gif config t

2.blank.gif security password lockout enable

3.blank.gif security password lockout policy perm-lock

4.blank.gif security password perm-lock max-attempts no_of_max_attempts

5.blank.gif end

DETAILED STEPS

 

Command or Action
Purpose

Step 1

config t

 

se-10-0-0-0# config t

Enters configuration mode.

Step 2

security password lockout enable

 
se-10-0-0-0(config)# security password lockout enable

Enables the password lockout feature.

Step 3

security password lockout policy perm-lock

 
se-10-0-0-0(config)# security password lockout policy perm-lock

Sets the security mode to lock out subscribers permanently when the maximum number of failed login attempts is reached.

Step 4

security password perm-lock max-attempts no_of_max_attempts

 
se-10-0-0-0(config)# security password perm-lock max-attempts 2

Specifies the maximum number of failed attempts that trigger a permanent lockout. Range is 1 to 200.

Step 5

end

 

se-10-0-0-0(config)# end

Returns to privileged EXEC mode.

Configuring PIN Protection with Permanent Lockout

Prerequisites

Cisco Unity Express 3.0 or a later version

Required Data for This Procedure

None.

SUMMARY STEPS

1.blank.gif config t

2.blank.gif security pin lockout enable

3.blank.gif security pin lockout policy perm-lock

4.blank.gif security pin perm-lock max-attempts no_of_max_attempts

5.blank.gif end

DETAILED STEPS

 

Command or Action
Purpose

Step 1

config t

 

se-10-0-0-0# config t

Enters configuration mode.

Step 2

security pin lockout enable

 
se-10-0-0-0(config)# security pin lockout enable

Enables the PIN lockout feature.

Step 3

security pin lockout policy perm-lock

 
se-10-0-0-0(config)# security pin lockout policy perm-lock

Sets the security mode to lock out subscribers permanently when the maximum number of failed login attempts is reached.

Step 4

security pin perm-lock max-attempts no_of_max_attempts

 
se-10-0-0-0(config)# security pin perm-lock max-attempts 2

Specifies the maximum number of failed attempts that trigger a permanent lockout.

Step 5

end

 

se-10-0-0-0(config)# end

Returns to privileged EXEC mode.

Configuring Password Protection with Temporary Lockout

Prerequisites

Cisco Unity Express 3.0 or a later version

Required Data for This Procedure

None.

SUMMARY STEPS

1.blank.gif config t

2.blank.gif security password lockout enable

3.blank.gif security password lockout policy temp-lock

4.blank.gif security password temp-lock max-attempts no_of_max_attempts

5.blank.gif security password temp-lock init-attempts no_of_init_attempts

6.blank.gif security password temp-lock duration duration

7.blank.gif end

DETAILED STEPS

 

Command or Action
Purpose

Step 1

config t

 

se-10-0-0-0# config t

Enters configuration mode.

Step 2

security password lockout enable

 
se-10-0-0-0(config)# security password lockout enable

Enables the PIN lockout feature.

Step 3

security password lockout policy temp-lock

 
se-10-0-0-0(config)# security password lockout policy temp-lock

Set the security mode to lock out subscribers permanently when the maximum number of failed login attempts is reached.

Step 4

security password temp-lock max-attempts no_of_max_attempts

 
se-10-0-0-0(config)# security password temp-lock init-attempts 8

Specifies the initial number of failed attempts that trigger a temporary lockout. Range is from the value of init-attempts to 200.

Step 5

security password temp-lock init-attempts no_of_init_attempts

 
se-10-0-0-0(config)# security password temp-lock init-attempts 4

Specifies the initial number of failed attempts that trigger a temporary lockout. Range is between 1 and the value of max_attempt s.

Step 6

security password temp-lock duration duration

 
se-10-0-0-0(config)# security password temp-lock duration 10

Specifies the initial lockout duration (in minutes) for a temporary lockout mode. The valid range is TBD.

Step 7

end

 

se-10-0-0-0(config)# end

Returns to privileged EXEC mode.

Configuring PIN Protection with Temporary Lockout

Prerequisites

Cisco Unity Express 3.0 or a later version

Required Data for This Procedure

None.

SUMMARY STEPS

1.blank.gif config t

2.blank.gif security pin lockout enable

3.blank.gif security pin lockout policy temp-lock

4.blank.gif security pin temp-lock max-attempts no_of_max_attempts

5.blank.gif security pin temp-lock init-attempts no_of_init_attempts

6.blank.gif security pin temp-lock duration duration

7.blank.gif end

DETAILED STEPS

 

Command or Action
Purpose

Step 1

config t

 

se-10-0-0-0# config t

Enters configuration mode.

Step 2

security pin lockout enable

 
se-10-0-0-0(config)# security pin lockout enable

Enables the PIN lockout feature.

Step 3

security pin lockout policy temp-lock

 
se-10-0-0-0(config)# security pin lockout policy temp-lock

Set the security mode to lock out subscribers permanently when the maximum number of failed login attempts is reached.

Step 4

security pin temp-lock max-attempts no_of_max_attempts

 
se-10-0-0-0(config)# security pin temp-lock init-attempts 8

Specifies the initial number of failed attempts that trigger a temporary lockout. Range is from the value of init-attempts to 200.

Step 5

security pin temp-lock init-attempts no_of_init_attempts

 
se-10-0-0-0(config)# security pin temp-lock init-attempts 4

Specifies the initial number of failed attempts that trigger a temporary lockout. Range is between 1 and the value of max_attempt s.

Step 6

security pin temp-lock duration duration

 
se-10-0-0-0(config)# security pin temp-lock duration 10

Specifies the initial lockout duration (in minutes) for a temporary lockout mode. The valid range is TBD

Step 7

end

 

se-10-0-0-0(config)# end

Returns to privileged EXEC mode.

Configuring PIN and Password History

Starting in release 3.0, this feature enables the system to track previous PINs and passwords for all users and prevent users from reusing old PINs or passwords. You can configure the depth of the PIN or the password history using either the GUI or CLI.

This section contains these procedures:

Configuring the Password History Depth

Prerequisites

Cisco Unity Express 3.0 or a later version

Required Data for This Procedure

None.

SUMMARY STEPS

1.blank.gif config t

2.blank.gif security password history depth depth

3.blank.gif end

DETAILED STEPS

 

Command or Action
Purpose

Step 1

config t

 

se-10-0-0-0# config t

Enters configuration mode.

Step 2

security password history depth depth

 
se-10-0-0-0(config)# security password history depth 6

Forces all users to choose a password that is not in their password history list.

Step 3

end

 

se-10-0-0-0(config)# end

Returns to privileged EXEC mode.

Configuring the PIN History Depth

Prerequisites

Cisco Unity Express 3.0 or a later version

Required Data for This Procedure

None.

SUMMARY STEPS

1.blank.gif config t

2.blank.gif security pin history depth depth

3.blank.gif end

DETAILED STEPS

 

Command or Action
Purpose

Step 1

config t

 

se-10-0-0-0# config t

Enters configuration mode.

Step 2

security pin history depth depth

 
se-10-0-0-0(config)# security pin history depth 6

Forces all users to choose a PIN that is not in their password history list.

Step 3

end

 

se-10-0-0-0(config)# end

Returns to privileged EXEC mode.

Displaying Password and PIN System Settings

Use the following Cisco Unity Express EXEC mode command to display the password and PIN settings:

show security detail

The command output can look similar to the following:

se-10-0-0-0# show security detail
 
Password Expires: true
Password Age: 60 days
Password Length (min): 5
Password Length (max): 32
PIN Expires: true
PIN Age: 45 days
PIN Length (min): 4
PIN Length (max): 16
 

The following example shows the values when password expiration and the PIN length are reset to the system default values:

se-10-0-0-0# show security detail
 
Password Expires: false
Password Length (min): 3
Password Length (max): 32
PIN Expires: false
PIN Length (min): 3
PIN Length (max): 16
 

To display PINless voicemail settings, use the following Cisco Unity Express EXEC mode command:

show voicemail detail mailbox [ owner ]

This command will produce output similar to the following, showing one of the three options displayed below:

se-10-0-0-0# show voicemail detail mailbox cjwhite
Owner: /sw/local/users/cjwhite
Type: Personal
Description:
Busy state: idle
Enabled: true
Allow login without pin: [no |
yes - from subscriber's phone numbers |
yes - from any phone number]
Mailbox Size (seconds): 3000
Message Size (seconds): 60
Play Tutorial: false
Fax Enabled: true
Space Used (seconds): 12
Total Message Count: 1
New Message Count: 1
Saved Message Count: 0
Future Message Count: 0
Deleted Message Count: 0
Fax Message Count: 0
Expiration (days): 30
Greeting: standard
Zero Out Number:
Created/Last Accessed: Jun 05 2007 17:06:07 PDTumber: 1

Encrypting PINs in Backup Files

Before release 3.0, PINs were stored as clear text in LDAP and were therefore visible in the backup file. This is because user PINs are stored in LDAP, which is backed up in LDIF format. This feature applies SHA-1 hash encryption to PINs before storing them in the LDAP database. As a result, when a user logs in to voice mail, the PIN they submit is hashed and compared to the PIN attribute retrieved from the LDAP directory.

To migrate from earlier version, you must convert from a clear PIN to a hashed PIN in the LDAP directory. Typically, you do this immediately after a system upgrade from an earlier version or after a restore operation from an old backup. At this point, the clear PIN is removed from the database and replaced with the encrypted PIN.

Because encryption using SHA-1 is not reversible, after the conversion is complete, you cannot disable or turn off this feature to restore the encrypted PIN to its clear form.

note.gif

Noteblank.gif This feature does not require any configuration using the GUI or CLI.


Scheduling CLI Commands

Beginning in Cisco Unity Express 8.0, you can schedule the execution of a block of CLI commands. Blocks of commands are entered interactively, using a symbol delimiter character to start and stop the execution. The execution of the block of commands begins in EXEC mode, but mode-changing commands are allowed in the command block.

The following limitations apply in Cisco Unity Express 8.0:

  • The maximum size of the block of commands is 1024 characters,including new lines.
  • Commands in the block cannot use the comma “,” character or the delimiter character. For example, if the delimiter character is configured to be “#”, then that character cannot be used in the command blocks.
  • Only system administrators can schedule the execution of blocks of commands.
  • CLI commands are executed under system super-user privileges.
  • Notification for the execution of these command blocks is not available. Error messages and results are available in log files only.
caut.gif

Caution blank.gif Use caution when scheduling CLI commands. Interactive commands will cause the execution to hang. Some commands might cause system instability.

Prerequisites

Cisco Unity Express 8.0 or a later version

Required Data for This Procedure

None.

SUMMARY STEPS

1.blank.gif kron schedule [ name ]

2.blank.gif description

3.blank.gif repeat every { number days at time |number weeks on day | number months on day date | number years on month month } at time

note.gif

Note Instead of the repeat every command, you can optionally use one of the following commands:

  • repeat once at time
  • repeat daily at time
  • repeat monthly on day date at time
  • repeat weekly on day at time
  • repeat yearly on month month at time


 

4.blank.gif start-date date

5.blank.gif stop-date date

6.blank.gif commands delimiter

7.blank.gif exit

8.blank.gif show kron schedules

9.blank.gif show kron schedule detail job

DETAILED STEPS

 

Command or Action
Purpose

Step 1

kron schedule [ name ]

 
se-10-0-0-0# kron schedule kron1011

Enters kron schedule configuration mode.

Step 2

description description

 

se-10-0-0-0(kron-schedule)# description backup

(Optional) Enters a description for the scheduled kron job.

Step 3

repeat every { number days | number weeks on day | number months on day date | number years on month month } at time time

 

se-10-0-0-0(kron-schedule)# repeat every 2 days at time 10:00

Specifies how often a recurring scheduled kron job occurs. To configure a one-time kron job, use the repeat once command. You can also optionally use one of the other repeat commands listed in the previous note.

Step 4

start-date date

 

se-10-0-0-0(kron-schedule)# start-date 05/30/2009

Specifies the start date for the recurring scheduled kron job to occur.

Step 5

stop-date date

 

se-10-0-0-0(kron-schedule)# stop-date 10/20/2009

Specifies the stop date for the recurring scheduled kron job to occur.

Step 6

commands delimiter
 
se-10-0-0-0(kron-schedule)# commands %
Enter CLI commands to be executed. End with the character ‘%’. Maximum size is 1024 characters, it may not contain symbol %.
 
 
%show version
show running-config
config t
hostname aaa
 
%
se-10-0-0-0(kron-schedule)#

Enters an interactive mode where commands in the the command block can be entered for the scheduled kron job. Use the delimiter character to delimit the command block.

note.gif

Noteblank.gif Any symbol can be a delimiter. The “%” symbol is shown for example purposes only.


Step 7

exit

Exits kron schedule configuration mode.

Step 8

show kron schedules

 

se-10-0-0-0# show kron schedule

Displays a list of scheduled kron jobs.

Step 9

show kron schedule detail job name

 

se-10-0-0-0# show kron schedule detail job kron1011

Displays information about a specific scheduled kron job.

Examples

The following is sample output from the show kron schedules command:

se-10-0-0-0# show kron schedules
Name Schedule Commands
krj1 Every 1 days at 12:34 show ver,sh run,conf t,host...
Total: 1

 

The following is sample output from the show kron schedule detail job command:

se-10-0-0-0# show kron schedule detail job krj1
Job Name krj1
Description
Schedule NOT SET
Last Run NEVER
Last Result
Next Run NEVER
Active from Feb 15, 2010 until INDEFINITE
Disabled
CLI Commands
show ver
sh run
conf t
hostname aaa
se-10-0-0-0#