Re: CUCM "End User" Account Lockout notification

w419366 · ‎10-06-2022

In this time of high security protection, I am looking to see if I can get any alerts from CUCM or RTMT for "End User" Accounts that have failed PIN sign in, up to the configured value in my Password Policy.

I already get alerts for Admin and End Users that fail to log in 3 time in succession in RTMT to the Admin Portal, but its the End User PIN lockouts I cannot see.

Example, Set Max PIN login attempts to 2, Tried to log in Via MVA with incorrect PIN twice, Checked End User and can see they are locked. But no Alert.

b.winter · ‎10-13-2022

Hi,
There is no such Alert in RTMT and AFAIK no other method to get this info.

On the other side: Why do you want to know it? Per default settings, the account is unlocked automatically after 30 min.

Personally, I would rather work with the settings of the policy, than getting to know, which user is not able to remember PIN (a number of typically 4 or 5 digits ...) and then unlocking them again manually.

w419366 · ‎10-13-2022

It is for security monitoring to see if any users accounts are being brute force attacked to attempt log in. Imagine if you get users that are getting locked out due to an attack on their PIN login and then you need to reset them all or trace. I would rather be proactive on the problem and reactive.

b.winter · ‎10-13-2022

Tried to answer your original question in my first post.

To your possible security "issue":
What should be the intention of an attacker, brute forcing one single user, just so that he is not able to use CUCM services any more, where a PIN is needed? After x attempts, the account is locked anyway and there is nothing more to brute force. And in the case of MVA, the attacker needs 2 very specific numbers (MVA number and the user's external phone number assigned to the remote destination), so that he can even use the attack. And for other services like Extension mobility, the attacker needs to be in your network. Either physically, or by gettings access from external. But then you have a lot other security problems, than a locked PIN... (And I think it's not a goal of a hacker, to get access to inside networks just to block telephone PINs). What benefit should a hacker gain by doing all this?
Those are very sophisticated scenarios and I think, you are trying to get a complicated solution, that probably doesn't exist.

Maren Mahoney · ‎10-14-2022

There's no need to question your purpose, you have a security need you are asking help with.

There are a couple of Alarms it the alarm catalog that refer to failed logins. I'm not sure which one would be relevant to PIN:

System Alarm Catalog > Login Alarm Catalog > "Authentication Failed"
CallManger Alarm Catalog > TCDSVRAlarmCatalog > "UserLoginFailed"

These alarms are in the Alarm Catalog and therefore must be collected somewhere. I have been unable to locate exactly where though, despite poking around my lab for the last hour or so. Wherever they are collected, you should be able to send them to a Syslog server and have the Syslog server monitor and alert you when these alarms are received. There may also be some way in CUCM/RTMT/etc. to generate an alert but you'd have to find the alarm first.

I'm sorry I can't help more. This is an interesting question and I may do more research.

Maren