Credential Policy Overview
Credential policies control the authentication process for resources in Cisco Unified Communications Manager. A credential policy defines password requirements and account lockout details such as failed login attempts, expiration periods and lockout durations for end user passwords, end user PINs, and application user passwords. Credential policies can be assigned broadly to all accounts of a specific credential types, such as all end user PINs, or they can be customized for a specific application user, or end user.
Credential Types
In Credential Policy Configuration you can configure a new credential policy and then apply that new policy as the default credential policy for each of the following three credential types:
-
End User PINs
-
End User Passwords
-
Application User Passwords
You can also apply the credential policy to a specific end user PIN, end user password, or application user password.
Credential Policies with LDAP Authentication Enabled
-
With LDAP Autthentication enabled, credential policies do not apply to end user passwords.
-
Credential policies do apply to end user PINs and application user passwords, irrespective of whether LDAP Authentication is enabled. These password types use local authentication.
Note |
Credential policies do not apply to operating system users or CLI users. These administrators use standard password verification procedures that the operating system supports. |
Trivial Passwords
The system can be configured to check for trivial passwords and PINs. A trivial password is a credential that can be easily hacked, such as a password that be guessed easily such as using ABCD as your password or 123456 as your PIN.
Non-trivial passwords meet the following requirements:
-
Must contain three of the following four characteristics: uppercase character, lowercase character, number, or symbol.
-
Must not use a character or number more than three times consecutively.
-
Must not repeat or include the alias, username, or extension.
-
Cannot consist of consecutive characters or numbers. For example, passwords such as 654321 or ABCDEFG are not allowed.
PINs can contain digits (0-9) only. A non-trivial PIN meets the following criteria:
-
Must not use the same number more than two times consecutively.
-
Must not repeat or include the user extension, mailbox, or the reverse of the user extension or mailbox.
-
Must contain three different numbers. For example, a PIN such as 121212 is trivial.
-
Must not match the numeric representation (that is, dial by name) for the first or last name of the user.
-
Must not contain groups of repeated digits, such as 408408, or patterns that are dialed in a straight line on a keypad, such as 2580, 159, or 753.
JTAPI and TAPI Support for Credential Policies
Because the Cisco Unified Communications Manager Java telephony applications programming interface (JTAPI) and telephony applications programming interface (TAPI) support the credential policies that are assigned to application users, developers must create applications that respond to the password expiration, PIN expiration, and lockout return codes for credential policy enforcement.
Applications use an API to authenticate with the database or corporate directory, regardless of the authentication model that an application uses.
For more information about JTAPI and TAPI for developers, see the developer guides at http://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-programming-reference-guides-list.html.