Forced Auth Code (FAC) not working on UC520

Answered Question
Feb 9th, 2010
User Badges:

Hi, I followed instructions found in this forum and a couple of others to implement FAC on our UC520 but I don't get the prompts to enter the account and pin and the call (9011T in my case) go thru, here are the links I used:


http://uc500.com/en/basic-fac-forced-auth-codes-implementation-uc500


https://www.myciscocommunity.com/docs/DOC-1400#Can_UC500CME_be_configured_to_prompt_a_caller_for_a_PIN_before_placing_a_call


One thing that I had to remove because if I used CCA for voice and B-ACD configuration gives a java null pointer error was the param uid-len and param pin-len under application / service clid_authen_collect. See https://www.myciscocommunity.com/message/34459#34459

Steven Smith told me that those are optional and are not needed for FAC.



Here is the configuration I am using. Please note that the Radius server was receiving the accounting data with the command "aaa accounting connection h323 start-stop group radius" which I removed to easily see if the Radius server was receiving something for the authentication, which it does not; and I expect first to use the local account to test it.



Any help is greatly appreciated !



Here is the config condensed:


aaa new-model
!
!
aaa authentication login default local group radius
aaa authentication login h323 group radius
aaa authorization exec default local group radius
aaa authorization exec h323 group radius
aaa authorization network default local group radius
aaa authorization network h323 group radius


aaa session-id common


username 00001001 password 0 <removed>
username 00001001 autocommand exit


radius-server host 192.168.0.18 auth-port 1812 acct-port 1813
radius-server key <removed>
radius-server vsa send accounting
radius-server vsa send authentication
!

dial-peer voice 5500 voip
description International Call
service clid_authen_collect
destination-pattern 9011T
session target ipv4:10.1.10.1
incoming called-number 9011T
dtmf-relay h245-alphanumeric
codec g711ulaw
no vad

dial-peer voice 153 pots
corlist outgoing call-international
description ** T1 pots dial-peer **
translation-profile outgoing CALLER_ID_TRANSLATION_PROFILE
preference 5
destination-pattern 9011T
port 0/3/0:23
prefix 011
no sip-register

dial-peer voice 69 pots
trunkgroup ALL_T1E1
corlist outgoing call-international
description **CCA*North American*International Number**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 3
destination-pattern 9011T
forward-digits all
no sip-register
!
dial-peer voice 70 pots
trunkgroup ALL_FXO
corlist outgoing call-international
description **CCA*North American*International Number**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9011T
forward-digits all
no sip-register

Correct Answer by Marcos Hernandez about 7 years 4 months ago

The session target under dial peer 5500 needs to point to "10.1.1.1", not "10.1.10.1".

Thanks,

Marcos

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marcos Hernandez Tue, 02/09/2010 - 09:16
User Badges:
  • Blue, 1500 points or more

Try configuring corlist outgoing and incoming "call-international" under dial peer 5500.


Thanks,


Marcos

lerichner Tue, 02/09/2010 - 11:19
User Badges:

Hi Marcos, Thanks for answering but I still got no prompts.


I used ephone-dn  76  for the test with and without the corlists also.


Here is the new config and also included the full tech output that also has the call data (extension 8970)


dial-peer voice 5500 voip
corlist incoming call-international
corlist outgoing call-international
description International Call
service clid_authen_collect
destination-pattern 9011T
session target ipv4:10.1.10.1
incoming called-number 9011T
dtmf-relay h245-alphanumeric
codec g711ulaw
no vad


ephone-dn  76  dual-line
number 8970 no-reg primary
pickup-group 2
label 8970
description Lourdes Vazquez
name Lourdes Vazquez
call-forward busy 3999
call-forward noan 3999 timeout 30
corlist incoming user-international
corlist outgoing user-international
hold-alert 30 originator


Thanks again

Correct Answer
Marcos Hernandez Tue, 02/09/2010 - 12:01
User Badges:
  • Blue, 1500 points or more

The session target under dial peer 5500 needs to point to "10.1.1.1", not "10.1.10.1".

Thanks,

Marcos

elias.ortiz Mon, 08/23/2010 - 17:07
User Badges:

Tengo este mismo problema con nuestro UC540. ya configure tal cual lo has explicado en este y otros posts y no logro que me solicite el codigo y pin.


La IP a la que debe apuntar el dial peer H.323 es cual? La loopback del UC540? la direccion de la VLAN de voz? la direccion de la VLAN de datos? ( ya probe con todas y todas me indican el error mencionado mas abajo)


Los archivos .au de los prompts deben ir directo en raiz de la flash? Asi los he colocado (en raiz directamente) y no me ha funcionado.


Lo que noto es que en consola serial me arroja estos mensajes:


000347: Aug 23 23:22:40.583: %CALL_CONTROL-6-CALL_LOOP: The incoming call has a global identfier already present in the list of currently handled calls. It is being refused.


Que puedo estar haciendo mal?


Cualquier ayuda sera ampliamente apreciada!


Elias.

lerichner Mon, 08/23/2010 - 17:47
User Badges:

Elias,


1) si tienes el comando que indica la cantidad de digitos para la cuenta y

el pin debes eliminarlo


2) los archivos deben de estar en la raiz del flash


144 286422 Mar 15 2010 14:03:38 -04:00 enter_account.au

145 38777 Mar 15 2010 14:04:02 -04:00 enter_pin.au


3) utilizo un servidor radius para validar


Esta es mi configuracion :


aaa new-model

!

!

aaa authentication login default local group radius

aaa authentication login h323 group radius

aaa authorization exec default local group radius

aaa authorization exec h323 group radius

aaa authorization network default local group radius

aaa authorization network h323 group radius

!


radius-server host 192.168.0.18 auth-port 1812 acct-port 1813

radius-server key

radius-server vsa send accounting

radius-server vsa send authentication


dial-peer voice 5500 voip

description International Call

service clid_authen_collect

destination-pattern 9011.T

session target ipv4:10.1.1.1

incoming called-number 9011.T

dtmf-relay h245-alphanumeric

codec g711ulaw

no vad

!

dial-peer voice 5501 voip

description National Call

service clid_authen_collect

destination-pattern 91[2-9]..[2-9]......

session target ipv4:10.1.1.1

incoming called-number 91[2-9]..[2-9]......

dtmf-relay h245-alphanumeric

codec g711ulaw

no vad

!


On Mon, Aug 23, 2010 at 8:07 PM, elias.ortiz <

elias.ortiz Tue, 08/31/2010 - 15:39
User Badges:

Gracias lerichner !!


Despues de hacer un fresh start de la configuracion, lo configure como me indicaste y esta funcionando correctamente. Ahora, tengo una duda mas.


Veo que los permisos para llamar a cierta clase se le asignan al ephone-dn desde donde el usuario origina la llamada usando COR, ¿es posible configurar que un Forced Auth Code (asignado a un usuario) permita realizar llamadas de uno o varios tipos Larga distancia internacional, nacional, etc.; mientras que otro codigo diferente (cuenta y pin, como los llama el script) solo permita larga distancia nacional? Esto es, que los privilegios los determine el codigo y no el numero de directorio origen?


Es comun en mexico y latinoamerica que esto se configure de esta manera, para que un usuario pueda realizar las llamadas a las que el esta autorizado desde cualquier telefono de la empresa, con su codigo de autorizacion. Mas no se si alguien ha encontrado la manera de realizar esto con el script de FAC?


Cualquier orientacion sera de gran ayuda.


Saludos!


Elias Ortiz


-----------------------------------------------------------------------------------------

Thanks lerichner !!


After doing a config fresh-start, I configure it as you suggested and its now working correctly. Now, I have another question.


I see that permission to place a particular call are assigned to an ephone-dn using Class Of Restriction, is it possible to configure that a particular Forced Auth Code account number and pin (assigned to a particular user) allows to place calls for one or several classes like Long Distance, International Calls, for example; while another (different) account and pin, allows only Long Distance? This is, that priviliges are determined by the account number and pin and not the originating "dn" or phone?


It is very common on Mexico and Latinamerica that this is deployed this way even with traditional PBX solutions, so the users can place the calls they are authorized for, from any phone in the office, using their account number and pin. Has anybody found the way to do this with the FAC script?


Any help would be very appreciated!


Saludos!


Elias Ortiz

Actions

This Discussion

Related Content