[cisco-voip] Serious 11.5 installation defect

daniel at ohnesorge.me daniel at ohnesorge.me
Mon Aug 22 19:12:03 EDT 2016


This is going to cause problems for US Government customers that are 
wanting to deploy FedRAMP mode...

 From 
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/11_5_1/secugd/CUCM_BK_SEE2CFE1_00_cucm-security-guide-1151/CUCM_BK_SEE2CFE1_00_cucm-security-guide-1151_chapter_011010.html

"Credential Policy

When FedRAMP mode is enabled, the following credential policy takes 
effect automatically for new passwords and password changes. After 
FedRAMP mode is enabled, administrators can use the set password *** 
series of CLI commands to modify any of these requirements:

Password Length should be between 14 to 127 characters.
Password should have at least 1 lowercase, 1 uppercase, 1 digit and 1 
special character.
Any of the previous 24 passwords cannot be reused.
Minimum age of the password is 1 day and Maximum age of the password is 
60 days.
Any newly generated password's character sequence will need to differ by 
at least 4 characters from the old password's character sequence."


On 2016-08-23 00:33, Scott Voll wrote:

> Sounds like one we had with Cisco Security Manager.  it would send a 
> password under 15 characters correct because it encrypted the whole 
> password.  but after 15 characters it would encrypt the 15 characters 
> and add padding to the addition characters after the encryption. rather 
> than sending the password with padding than encrypting it.
> 
> Reminder that if it's Cisco to make sure your password is less than 16 
> characters ;-)
> 
> Scott
> 
> On Sun, Aug 21, 2016 at 10:43 PM, Daniel Ohnesorge via cisco-voip 
> <cisco-voip at puck.nether.net> wrote:
> In this case, the customer has a strict password policy and the 
> password was generated via an internal web app. Normally I would also 
> not use one that long!
> 
> On 2016-08-22 13:57, Anthony Holloway wrote:
> 
> Wow, good to know, but I cannot say that I have ever seen a password 
> that long on a server before.  That's a first for me.  I tend to still 
> use 8 character length.  Old habit, I'm sure.
> 
> Are you consistently deploy 16+ character passwords now a days?
> 
> On Sun, Aug 21, 2016 at 5:54 PM, Daniel Ohnesorge via cisco-voip 
> <cisco-voip at puck.nether.net> wrote:
> 
> Hi All,
> 
> Just wanted to make you all aware of a serious installation defect with 
> 11.5 that the Cisco DE's are currently investigating and will soon be 
> raising a new defect against.
> 
> Basically, the CUCM Publisher installation goes ahead fine but once you 
> try to install any subscriber (including the CUPS DB PUB), the 
> installation will fail after all Network and Connectivity checks 
> passed. It has taken TAC, BU and DE's 2 weeks to figure out what was 
> going wrong, it turns out that the password used for the Application 
> User is too long (even though it is withing documentation guidelines). 
> The password I used was 1 Uppercase, 14 lowercase, 1 number and 1 
> special character (underscore). DE's have been able to replicate the 
> issue in the lab using the same complexity. When using a password such 
> as ipcbu123 the installation is successful. This affects CUCM, CUPS and 
> CUC.
> 
> Thanks,
> Daniel
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
  _______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


More information about the cisco-voip mailing list