Cisco Unity System Administration Guide (With Microsoft Exchange), Release 4.0(4)
Enhanced Phone Security

Table Of Contents

Enhanced Phone Security

Overview: Enhanced Phone Security

Setting Up Enhanced Phone Security


Enhanced Phone Security


Overview: Enhanced Phone Security

You can set up Cisco Unity subscriber accounts to use a secure logon method known as two-factor user authentication. Cisco Unity works with the RSA SecurID system to provide this method of enhanced phone security. The RSA SecurID system is made up of three major components: RSA SecurID authenticators, the RSA ACE/Server, and the RSA ACE/Agent.

With the RSA SecurID system, each authorized Cisco Unity subscriber is assigned an RSA SecurID authenticator. Every 60 seconds, the authenticator generates and displays a new, unpredictable number—known as a secure ID or tokencode—that is unique to the subscriber. RSA offers authenticators in the form of hardware, software, and smart cards.

Each Cisco Unity subscriber who has an authenticator must have a user account on the ACE/Server. You use the RSA Database Administrator program on the ACE/Server to create and maintain the user accounts. A user account contains the RSA alias and PIN, and information about the user authenticator. By using the information in a user account, the ACE/Server generates the same secure ID as the user authenticator.

In the Cisco Unity Administrator, you assign subscribers to a class of service for which enhanced phone security is enabled. By default, Cisco Unity uses a subscriber Exchange alias as the subscriber RSA alias.

When logging on to Cisco Unity over the phone, subscribers enter an ID as usual. Then, instead of a password, subscribers enter a passcode, which is a number that combines the subscriber PIN and the secure ID displayed on the subscriber authenticator. Cisco Unity uses the ID to look up the user RSA alias and sends the RSA alias and passcode to the ACE/Agent installed on the Cisco Unity server. The ACE/Agent encrypts the RSA alias and passcode and sends it to the ACE/Server. The ACE/Server looks up the user account, then validates the passcode by using the information stored in the account. The ACE/Server returns a code to the ACE/Agent, which in turn passes it along to Cisco Unity. Return code meanings are shown in Table 10-1.

Table 10-1 ACE/Server Return Codes 

Return Code
Meaning

Passcode accepted

Cisco Unity allows subscriber access to messages.

Access denied

Cisco Unity prompts the subscriber to enter the passcode again.

This return code can also indicate that the ACE/Server is unavailable.

Secure ID expired

Cisco Unity prompts the subscriber to enter the next secure ID displayed on the authenticator.

New PIN needed

Cisco Unity prompts the subscriber to enter a new PIN.


Unless you have assigned PINs, the first time subscribers log on they will have not yet created PINs, so instead of passcodes, they will enter only secure IDs. The subscriber conversation guides the subscriber through the process of creating a PIN. Cisco Unity detects when New PIN mode is enabled or when a subscriber PIN has been cleared in the RSA Database Administrator, and the subscriber conversation prompts the subscriber to create a new PIN at the next logon. When subscribers log on to Cisco Unity after a PIN has been cleared, instead of a passcode, they enter only a secure ID.


Note The RSA SecurID system is not available for subscribers who use the Cisco Unity Greetings Administrator. See the "Cisco Unity Conversation" chapter for information on the Cisco Unity Greetings Administrator.


Setting Up Enhanced Phone Security

If you have an existing ACE/Server, skip the steps below that do not apply. Refer to the RSA documentation for information on setting up the ACE/Server and ACE/Agent and for creating and maintaining user accounts.

To Set Up Enhanced Phone Security


Step 1 Install and configure the ACE/Server. Install only the Local Access Authentication (Client) and the Control Panel Applet components. Do not install the Web Access Authentication (Server) component.

Step 2 On the ACE/Server, use the RSA Database Administrator program to create the applicable user accounts.

Note that when specifying settings for PIN assignments, indicate user-created PINs only. Cisco Unity does not support system-generated PINs.

Step 3 Create a group that includes all the users who will use enhanced phone security on Cisco Unity.

Step 4 Create an Agent Host for each Cisco Unity server (required on both the primary and secondary server when failover will be used).

Step 5 Specify Communications Server as the Agent Host type.

Step 6 Add the group you created in Step 3 to the Group Activation section of the new client.

Step 7 On each Cisco Unity server, install and configure the ACE/Agent to work with the Agent Host(s) you created on the ACE/Server.

Step 8 Use the ACE/Agent Test Authentication utility to authenticate a user with the ACE/Server. If you cannot authenticate the user with the test program, troubleshoot the ACE client/server connection. If you are using failover, also test in a manual failover condition.

Step 9 Start Cisco Unity.

Step 10 In the Cisco Unity Administrator on each Cisco Unity server, go to the System > Configuration > Settings page and check the RSA Two Factor check box.

Step 11 Log off of the Cisco Unity Administrator.

Step 12 Shut down and restart each Cisco Unity server for enhanced phone security to take effect.

Step 13 Create a new class of service (COS) or modify an existing COS for the subscribers who are using enhanced phone security. (See the "Class of Service Settings" chapter for detailed procedures.)

Step 14 On the Subscribers > Class of Service > Profile Page of the applicable COS, click Enhanced Security in the Phone Security section.

Step 15 Assign subscribers to the enhanced phone security COS. When using failover, the COS and subscriber settings only need to be created on the primary Cisco Unity server. They will automatically replicate to the secondary server.

Step 16 If the RSA alias for the subscriber is something other than the subscriber Exchange alias, go to the subscriber Profile page and enter the RSA alias in the Enhanced Security User Alias box.

Step 17 Distribute the RSA authenticators to the applicable subscribers.


To Disable Enhanced Security System-wide


Step 1 In the Cisco Unity Administrator on each Cisco Unity server, go to the System > Configuration > Settings page, and uncheck the RSA Two Factor check box.

Step 2 For every class of service (COS) currently being used in your system, go to the applicable Subscribers > Class of Service > Profile page on the Cisco Unity server, and click Regular Phone Security. This change is required only on the primary Cisco Unity server if failover is in use. The COS settings will automatically replicate to the secondary server.