I have two kinds of imported user in CUC7.0
-import via 'LDAP' which means direct from AD, able to ciscopca login with AD account
-import via 'Phone system' which means via CUCM, I got 'invalid id or password' when try ciscopca login. I'm able to ccmuser login with same account.
why cannot login the users imported via CUCM?
Solved! Go to Solution.
As I said, able to ccmuser login but cannot ciscopca with same AD account.
-AD account 'test1'
-CUCM, LDAP sync from AD - able to ccmuser login with 'test1'
-CUC, LDAP configure but import via CUCM - cannot login with 'test1'
-CUC, if I direct import from AD 'test2', I able to ciscopca login successfully.
PCA relies on Class of Service in Unity.
Also, is Unity Connection a separate server? if it is, you may need to check that AXL is working properly. CUCM will LDAP sync with AD to populate the CUCM directory. For Connection, the user must have a line/phone configured. In Connection you should be able to SYNC and import from CUCM.
Once the subscribers are present and configured in Connection, configure the class of service to allow PCA login.
The authentication piece is also being pulled from CUCM. Im not sure how exactly how your LDAP is configured with CUCM, but if the user having an issue is in a different OU for Authentication, it could be an issue.
Re-reading your test above, Id say AXL is not working between CUCM and Connection (if separate server) If it's a CUCMBE with connection onbox, it does not use the AXL configuration. (because its local)
Answer to the factor,
-PCA enabled in CUC COS (enable by default).
-CUC is separete server from CUCM
-AXL is works okay and that's why I able to user import via CUCM
-LDAP configuration is exactly same in CUCM and CUC. it means same authentication. ccmuser is okay but problem ciscopca with same AD user ID with error message 'invalid userid or password'
Again, this is CUC version 7 and to test authenticaiton via AD which was not supported in previous version.
do you have LDAP configured on both CUC and CUCM to point to the same place? I think you only can do one LDAP point when you use CUCM. (at least for authentication)
Are the users in the same forest?
-users on same AD location (same OU)
-I configured exactly same LDAP in CUCM and CUC (system, directory and authenticaiton)
-I disabled CUC LDAP configuration which means the authentication via CUCM but still message 'invalid username/password'. at this time, cannot login the user direct imported from AD
My requirement is,
-CUC user import from CUCM
-CUC user authentication from AD password
what's configuration guideline to achieve? ex, LDAP configuration requirement in CUCM and CUC.
If LDAP is configured off of CUCM, and you pull your users in from CUCM to Connection via sync, it should all work. It works like this for CUPS and other Connections. I have been running into bugs on CUC 7.02, so it would not surprise me if you are hitting something unknown possibly.
If the test1 user can log into the CUCM server on CCMUser page, then it should have no issues on CUC PCA page.
If CUCM is integrated with LDAP and we have a UC integration with CUCM through AXL, then the ciscopca password is not authenticated against LDAP . CCMuser is authenticated againt ldap.
Cisco Unity offers application-level authentication to allow subscribers to
access the Cisco Personal Communications Assistant (PCA). Cisco Unity authenticates the credentials that subscribers enter when they log on to the
So for using LDAP authentication for ciscopca, we will have to import users
from LDAP integration.
Unity connection 7.0.2 supports LDAP integration.
In case you have not integrated your UC with LDAP, then you can reset the wep application password for the user from the unity connection admin page and the would be able to login to cisco pca after that.
Whats odd in that 7.01, IMAP login works with LDAP from CUCM. The users are imported from LDAP to CUCM. Connection syncs the users from CUCM.
We configure the users for IMAP at the desktop and it uses their AD LDAP and AD password.
But from what you are saying (or it sounds like) PCA we have to create another LDAP connection?
The users are imported to Unity connection through AXL from call manager.
But application passwords are controlled by Unity connection. So, in case you want ciscopca to authenticate against LDAP, then yes you would have to create a separate LDAP integration with UC.
If you were using a Call manager business edition, then CUCM + LDAP integration would have been enough for authenticating the ciscopca users against LDAP
In our case as we have CUCM and UC as separate servers, we would need to integrate UNity connection with LDAP if required.
Did you try resetting the password of the user from the UC admin page and check if the user is able to login ??
I realized PCA login not support for the user imported via CUCM or the existing user which migrated from previous version. The solution is change the LDAP integration model to AD by overriding the user attribute via BAT.
See the section 'To Integrate Existing Cisco Unity Connection Users with LDAP Users'