Changing PIN from an IP phone in CUCM 6.1(3)

Unanswered Question
Mar 17th, 2009
User Badges:

Hi All,

I have got probably rather silly question here.

We have a new installation of CUCM 6.1(3) with Extension Mobility configured. For security reasons the customer wants to enforce end-users to change their PINs after the first login. So in the End-User PIN Credential Policy we are specifying "User Must Change at the Next Login".

As the result we have the following. The user is trying to log into his IP Phone with his default PIN (which is definitely valid) and gets the prompt (on the phone screen) to change the PIN. He keys in a new PIN but it is not accepted and he gets the "Authentication Error" message instead. As the result he can not login.

We have tried different setting on the Credential Policy but nothing helped - the system simply does not accept PIN changes from an IP Phone. I have searched the web but could not find any trace of the same issue.

Has anybody seen this before? Is there some additional settings to enable changing PINs from IP Phones? Is it actually possible in CUCM 6.1(3)?

Thanks a lot for any help!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
davidjani Wed, 03/18/2009 - 09:17
User Badges:


Not sure about this to be honest but it may well be easier to provide this functionality via web page:


From this page they can make many changes to their profile however if you do not want them to make such a vast number of changes the options available to them can be locked down via the Enterprise Parameters.

I know it is not exactly what you were looking for but I hope it helps you resolve the issue in the short term so at least people can get up & running.


Alexander.Khlem... Wed, 03/18/2009 - 09:30
User Badges:

Thanks a lot for the reply. Unfortunately the customer does not want to give end-users the access to the CCMUser web page. The customer needs the end-users to be able to change their PINs from IP phones and according to Cisco this should be possible.

davidjani Wed, 03/18/2009 - 10:32
User Badges:

I dont know if it will make a difference but have they been assigned to the Standard CCM End User Group?


davidjani Wed, 03/18/2009 - 11:17
User Badges:

I have just tested this and I get the same symptoms but I think it may be the way they present it.

My understanding of what I saw is that you cannot do this, it does not appear to promt for a PIN change but rather it provides a message to inform that you must change it. I can only assume they assume you would be providing access to the web page!?!

Does look rather confusing but I would expect a different screen to appear if this was possible e.g.:

New PIN:

Confirm New PIN:

Would the customer not accept providing access to the user page with the understanding that they will only have the option of changing their PIN and not provide access to any of the other options?

Alexander.Khlem... Thu, 03/19/2009 - 02:13
User Badges:

Well, the problem with this is that is does expect you to key in something. If you key in the old pin it gives you the prompt again so it does expect you to change it. If you key in a new pin you receive Authentication Error back.

Anyway I have open a TAC case for this one.

vivrao Thu, 03/19/2009 - 03:44
User Badges:
  • Cisco Employee,

Changing PIN from IP Phone is still a roadmap item for CUCM. Currently this feature is not supported for current CUCM version.

Alexander.Khlem... Tue, 03/31/2009 - 02:45
User Badges:

Well, yes, only from CCMUser web page at the moment. Here below is the info from Cisco TAC regarding this issue - as far as you can see changing PIN from an IP Phone is roadmapped only for CUCM 7.1:


CUCM 6.1.3

Problem Description:

--> Users seeing "Authentication Error" when attempting to change their pin from the TUI; with the "users must change at next login" checked.

Current Status:

--> That's a known issue... 2 bugs are open on it (CSCsm43875 and CSCsl76193) and it'll be fixed in UCM 7.1.


When the credential policy for a user is set to "User Must Change at Next Login" the user must change PIN but then is not able to login to CCMuser at all.

When trying to log into Extension Mobility via the phone, the user is repeatedly prompted for the PIN and receives "[209]-Change PIN". (this is working as designed)


Observed with both CUCM and


Do not use the option for "User Must Change at Next Login".

Unfortunately I could not find any CLEAR wording of this anywhere in Cisco documentation.

michalisv Sun, 09/12/2010 - 23:38
User Badges:

I'm sorry for bringing back this topic after so long, but we're trying to do this "Force PIN Change from IP Phone at next login" option with version 7.1(5) but we're receiving the same error"[209]-Change PIN". Does anyone know if this issue was fixed on some later 7.1 version or perhaps never fixed at all for 7.1(x) ?

thanks in advance

Aaron Harrison Mon, 09/13/2010 - 01:31
User Badges:
  • Super Bronze, 10000 points or more
  • Community Spotlight Award,

    Member's Choice, May 2015


Looks like that made it into version 8.0 :

There should be a ChangePIN softkey on that  ver, and also there's reference to a standalone credentials management app.



Please rate helpful posts and mark answered questions that you've got a satisfactory response from to help identify useful content in the forums...

michalisv Wed, 09/15/2010 - 00:30
User Badges:

thanks Aaron. I guess we're going to stick with the web settings since upgrading to 8.x is not an option at the moment


This Discussion