I have got probably rather silly question here.
We have a new installation of CUCM 6.1(3) with Extension Mobility configured. For security reasons the customer wants to enforce end-users to change their PINs after the first login. So in the End-User PIN Credential Policy we are specifying "User Must Change at the Next Login".
As the result we have the following. The user is trying to log into his IP Phone with his default PIN (which is definitely valid) and gets the prompt (on the phone screen) to change the PIN. He keys in a new PIN but it is not accepted and he gets the "Authentication Error" message instead. As the result he can not login.
We have tried different setting on the Credential Policy but nothing helped - the system simply does not accept PIN changes from an IP Phone. I have searched the web but could not find any trace of the same issue.
Has anybody seen this before? Is there some additional settings to enable changing PINs from IP Phones? Is it actually possible in CUCM 6.1(3)?
Thanks a lot for any help!
Not sure about this to be honest but it may well be easier to provide this functionality via web page:
From this page they can make many changes to their profile however if you do not want them to make such a vast number of changes the options available to them can be locked down via the Enterprise Parameters.
I know it is not exactly what you were looking for but I hope it helps you resolve the issue in the short term so at least people can get up & running.
Thanks a lot for the reply. Unfortunately the customer does not want to give end-users the access to the CCMUser web page. The customer needs the end-users to be able to change their PINs from IP phones and according to Cisco this should be possible.
I have just tested this and I get the same symptoms but I think it may be the way they present it.
My understanding of what I saw is that you cannot do this, it does not appear to promt for a PIN change but rather it provides a message to inform that you must change it. I can only assume they assume you would be providing access to the web page!?!
Does look rather confusing but I would expect a different screen to appear if this was possible e.g.:
Confirm New PIN:
Would the customer not accept providing access to the user page with the understanding that they will only have the option of changing their PIN and not provide access to any of the other options?
Well, the problem with this is that is does expect you to key in something. If you key in the old pin it gives you the prompt again so it does expect you to change it. If you key in a new pin you receive Authentication Error back.
Anyway I have open a TAC case for this one.
Changing PIN from IP Phone is still a roadmap item for CUCM. Currently this feature is not supported for current CUCM version.
Is this documented any where? We ran into this and I couldn't find anything on it to report back to the business with. So then, changing PIN is only supported from the CCMUser page for users?
Well, yes, only from CCMUser web page at the moment. Here below is the info from Cisco TAC regarding this issue - as far as you can see changing PIN from an IP Phone is roadmapped only for CUCM 7.1:
--> Users seeing "Authentication Error" when attempting to change their pin from the TUI; with the "users must change at next login" checked.
--> That's a known issue... 2 bugs are open on it (CSCsm43875 and CSCsl76193) and it'll be fixed in UCM 7.1.
When the credential policy for a user is set to "User Must Change at Next Login" the user must change PIN but then is not able to login to CCMuser at all.
When trying to log into Extension Mobility via the phone, the user is repeatedly prompted for the PIN and receives "-Change PIN". (this is working as designed)
Observed with both CUCM 184.108.40.2069-1 and 220.127.116.114-1.
Do not use the option for "User Must Change at Next Login".
Unfortunately I could not find any CLEAR wording of this anywhere in Cisco documentation.
I'm sorry for bringing back this topic after so long, but we're trying to do this "Force PIN Change from IP Phone at next login" option with version 7.1(5) but we're receiving the same error"-Change PIN". Does anyone know if this issue was fixed on some later 7.1 version or perhaps never fixed at all for 7.1(x) ?
thanks in advance
Looks like that made it into version 8.0 : http://cisco.biz/en/US/docs/voice_ip_comm/cucmbe/rel_notes/8_0_1/delta/phones.html#wp1483628
There should be a ChangePIN softkey on that ver, and also there's reference to a standalone credentials management app.
Please rate helpful posts and mark answered questions that you've got a satisfactory response from to help identify useful content in the forums...
thanks Aaron. I guess we're going to stick with the web settings since upgrading to 8.x is not an option at the moment