Cisco Cisco TelePresence MCU 4510 Maintenance Manual
Configuring the MCU
Cisco TelePresence MCU 4.3 Product administration guide
Page 167 of 242
Require
administrator
login
administrator
login
Select this option to require an administrator login by anyone attempting to connect to the MCU
via the console port. If this is not enabled, anyone with physical access to the MCU (or with
access to your terminal server) can potentially enter commands on the serial console.
via the console port. If this is not enabled, anyone with physical access to the MCU (or with
access to your terminal server) can potentially enter commands on the serial console.
Idle console
session
timeout
session
timeout
If you have enabled Require administrator login , you can configure a session timeout period.
The timeout setting for idle console sessions. The admin must log in again if the console
sessions expires. The timeout value must be between 1 and 60 minutes.
The timeout setting for idle console sessions. The admin must log in again if the console
sessions expires. The timeout value must be between 1 and 60 minutes.
Advanced account security mode
You can configure the MCU to use advanced account security mode. Advanced account security mode has
the following features:
the following features:
n
The MCU will hash passwords before storing them in the configuration.xml file (see
n
The MCU will demand that passwords fullfil certain criteria, using a mixture of alphanumeric and non-
alphanumeric (special) characters (see
alphanumeric (special) characters (see
n
Passwords will expire after 60 days
n
A new password for an account must be different from the last ten passwords used with that account
n
The MCU will disable a user's account if that user incorrectly enters a password three times consecutively.
If this is an admin account, it is disabled for 30 minutes; for any other account, it is disabled indefinitely (or
until you, the administrator, re-enable the account from the
If this is an admin account, it is disabled for 30 minutes; for any other account, it is disabled indefinitely (or
until you, the administrator, re-enable the account from the
User
page)
n
Non-administrator account holders are not allowed to change their password more than once in any 24 hour
period
period
n
Administrators can change any user account’s password and force any account to change its password by
selecting Force user to change password on next login on the
selecting Force user to change password on next login on the
User
page. Administrators can prevent
any non-administrator account from changing its password by selecting Lock password on the
User
page.
n
The MCU will disable any non-administrator account after a 30 day period of account inactivity. To re-
enable the account, you must edit that account's settings on the
enable the account, you must edit that account's settings on the
User
page
If you enable advanced security, all current passwords (created when the MCU was not in advanced account
security mode) will expire and users must change them.
security mode) will expire and users must change them.
When using Advanced account security mode, we recommend that you rename the default administrator
account. This is especially true where the MCU is connected to the public internet because security attacks
will often use “admin” when attempting to access a device with a public IP address. Even on a secure
network, if the default administrator account is “admin”, it is not inconceivable that innocent attempts to log
into the MCU will cause you to be locked out for 30 minutes.
account. This is especially true where the MCU is connected to the public internet because security attacks
will often use “admin” when attempting to access a device with a public IP address. Even on a secure
network, if the default administrator account is “admin”, it is not inconceivable that innocent attempts to log
into the MCU will cause you to be locked out for 30 minutes.
We recommend that you create several accounts with administrator privileges. This will mean that you will
have an account through which you can access the MCU even if one administrator account has been locked
out.
have an account through which you can access the MCU even if one administrator account has been locked
out.
If there are applications accessing the MCU, for example TMS, Conference Director, or any other API
application, we recommend that you create dedicated administrator accounts for each application.
application, we recommend that you create dedicated administrator accounts for each application.
In advanced account security mode, if a user logs in with a correct but expired password the MCU asks that
user to change the password. If the user chooses not to change it, that user is allowed two more login
attempts to change the password before the account gets disabled.
user to change the password. If the user chooses not to change it, that user is allowed two more login
attempts to change the password before the account gets disabled.