Solved: Shashank, respectfully, I'm

chancalvin · ‎07-05-2016

Hello All,

If I change any of the settings in my current authentication rules will that only apply to new voicemail users that get created after the change?

ie. if I change the minimum credential length from 6 to 8, will users that had 6 previously now get an error when they try to login? Do they get prompted to change?

Or does the 6 min length get grandfathered in? I have a credential expiry date set too. So do users with 6 min length keep the 6, and once it expires, they get prompted to enter an 8 min length password?

How about if I check off the trivial password option? Will that start setting off alarms/errors right away for existing users with trivial passwords already?

I guess to ask more simply, do authentication rules have a "grandfather-in" approach when authentication rule changes are made?

Or does it have an immediate effect on all existing users too?

please let me know

thank you

Ryan Huff · ‎07-05-2016

Shashank, respectfully, I'm going to humbly give a little push-back on this :)

The activation and availability of the authentication rule is applied to ALL subscriber accounts instantly; however the application and enforcement of the authentication rule's policies are not retroactive.

When you make changes to an authentication rule in Unity Connection (for voicemail or web application), it IS NOT retroactive; meaning it DOES NOT change or invalidate any existing subscriber pins or web application passwords -nor does it (by default) force the user to change them on subsequent login. Although, a natural expiry would subsequently require a user based change that would succumb to the changed authentication rule's behavior.

Once you make a change to an authentication rule, the rule's behavior takes effect on any passwords / pins (within the rule's governance) created hence forth, not retroactively.

To confirm this, as a gut-check for myself, I just spun-up a CUCM / CUC lab in dCloud and purposely created a trivial PIN (123) and Web Application password (123) for a subscriber account. I successfully logged in with both. Then I changed the respective authentication rules governing those pins and passwords to "Check for Trivial" and "minimum credential length = 6|". After which, I was still able to log into the subscriber mailbox (and PCA portal) using, "123" which would be in violation of the now current authentication rules.

Upon attempting to change the pin and web application password, I was unable to enter anything less than 6 characters or with trivial sequence.

Thanks,

Ryan

(.. Please rate helpful posts ..)

View solution in original post

Ryan Huff · ‎07-05-2016

Changes to authentication rules do not apply retroactively.

The following excerpt comes from page 6 (under the "Minimum Credential Length" section) of http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/9x/security/guide/9xcucsecx/9xcucsec060.pdf

"When you change the minimum credential length, users will be required to use the new length the next
time that they change their PINs and passwords"

Thanks,

Ryan

(.. Please rate helpful posts ..)

chancalvin · ‎07-06-2016

Wow great!

Thank you so much for labbing this out Ryan. 5*s!

And thank you for your input rob Huffman, always valuable.

thank you

Shashank Mahajan · ‎07-05-2016

The authentication rules on Unity connection would take effect immediately for all existing as well as newly created users.

Ryan Huff · ‎07-05-2016

Shashank, respectfully, I'm going to humbly give a little push-back on this :)

The activation and availability of the authentication rule is applied to ALL subscriber accounts instantly; however the application and enforcement of the authentication rule's policies are not retroactive.

When you make changes to an authentication rule in Unity Connection (for voicemail or web application), it IS NOT retroactive; meaning it DOES NOT change or invalidate any existing subscriber pins or web application passwords -nor does it (by default) force the user to change them on subsequent login. Although, a natural expiry would subsequently require a user based change that would succumb to the changed authentication rule's behavior.

Once you make a change to an authentication rule, the rule's behavior takes effect on any passwords / pins (within the rule's governance) created hence forth, not retroactively.

To confirm this, as a gut-check for myself, I just spun-up a CUCM / CUC lab in dCloud and purposely created a trivial PIN (123) and Web Application password (123) for a subscriber account. I successfully logged in with both. Then I changed the respective authentication rules governing those pins and passwords to "Check for Trivial" and "minimum credential length = 6|". After which, I was still able to log into the subscriber mailbox (and PCA portal) using, "123" which would be in violation of the now current authentication rules.

Upon attempting to change the pin and web application password, I was unable to enter anything less than 6 characters or with trivial sequence.

Thanks,

Ryan

(.. Please rate helpful posts ..)

johnthoyt · ‎07-31-2019

Ryan,

I like your test in dCloud but I believe it needs to have a few more scenarios added. I don't currently have the answer to these questions. What if you have a user base that has been in existence for a long period of time with the authentication rules sets to never expires and then you change the authentication rule to expires every 30 days. Does the timer start from the date and time of the authentication rule change or does the system have insight into the age of the users' current PIN's and Passwords and enforce the change at next login for those over 30 days old? Then how does it behave when changing the stored previous credentials? Unity Connection guides state that the default stored credentials value is 5 but what if it was never enforced? I have reviewed several of the Unity Connection version guides and do not see the answer to the impact of changing these values on existing production systems. From an IT persepective, the end goal is being achieved but to effectively communicate the change to the user community this could be very intrusive and can take a helpdesk supporting thousands of users by surprise. Just food for thought and hence could be the reason for one of Cisco's post on this topic that it takes effect immediately. I agree it does not revoke the current set PIN or password but it could be immediately upon next login enforced for the user to change.

Rob Huffman · ‎07-06-2016

Hi Calvin,

I'm going to have to go with Ryan on this one (nice work labbing this up to test Ryan! +5)

I had a BIG boss at one time who wanted to be able to use a 4 digit PIN but wanted everyone else to have to use a minimum length PIN of 6 digits. I set him up with the Authentication Rule set @ "minimum credential length = 4|" and once he was done going through the mailbox set up I changed the Authentication Rule set @ "minimum credential length = back to 6" and it worked just the way Ryan described and as you nicely captured in your original post here;

"Or does the 6 min length get grandfathered in? I have a credential expiry date set too. So do users with 6 min length keep the 6, and once it expires, they get prompted to enter an 8 min length password?"

Cheers!

Rob

Unity Connection Authentication Rules