cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16736
Views
27
Helpful
50
Replies

CME forced auth codes in 8.5/8.6

thisisshanky
Level 11
Level 11

I m referring to this document (which doesnt seem to help me much)..so thought of posting at this forum....

Has any body successfully implemented FAC in CME..

http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmefac.html

i have setup two LPCor groups one for end users and one for PSTN trunks..to test this functionality i put one ephone under the end users group and another ephone in the PSTN trunk group..and when you call from ephone 1 to 2...it asks for the username and password as programmed but then it hangs up the call...

i can post configs if needed...its pretty similar to whats in the document..

TIA..

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
50 Replies 50

paolo bevilacqua
Hall of Fame
Hall of Fame

Welcome back shamku!

It can be a script problem. Take "debug voice application script".

Thanks Paolo...its been a while :)..The issue was with the AAA not being enabled. Once AAA and gateway account was enabled everything started working. I have posted a sample config, in case some one needs it...Also LPCOR groups cannot be applied to dial-peers directly so you have to use trunk groups and point dial peers to trunk groups in order to apply LPCORs. So if you only want to block LD and International calls with a FAC code, you will need trunk groups defined and applied to those dial peers. All the non authenticated dial peer will use the port command.

AAA- Config

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login h323 local

aaa authorization exec h323 local

aaa authorization network h323 local

aaa session-id common

gw-accounting aaa

Trunk Group configuration

trunk group Telmex-E1

hunt-scheme least-idle

trunk group lpcor outgoing PSTNTrunk

LPCOR groups -> Feature of CME 8.5

voice lpcor enable

voice lpcor custom

group 10 end-users

group 11 PSTNTrunk

!

voice lpcor policy end-users

service fac

accept end-users fac

accept PSTNTrunk fac

!

voice lpcor policy PSTNTrunk

service fac

accept end-users fac

accept PSTNTrunk fac

**APPLICATION CONFIGURATION THAT AUTHENTICATES USERS**

application

package auth

  param passwd-prompt flash:en_bacd_welcome.au

  param passwd 5555 <----- this is optional and i cant figure out why this is needed..it works with or with out it

  param term-digit #

  param user-prompt flash:en_bacd_enter_dest.au

  param abort-digit *

  param max-digits 32

*LD PIN Configuration**

username 6801 password 0 26621

**MEXICAN DIALPLAN***

controller E1 0/0/0

framing NO-CRC4

ds0-group 1 timeslots 1-15,17-30 type r2-digital r2-compelled ani

cas-custom 1

  country telmex use-defaults

  category 2

  answer-signal group-b 1

  trunk-group Telmex-E1

dial-peer voice 3 pots

description Emergency services

destination-pattern 906.

port 0/0/0:1

prefix 06

!

dial-peer voice 4 pots

trunkgroup Telmex-E1

description International calls

destination-pattern 900T

prefix 00

!

dial-peer voice 5 pots

trunkgroup Telmex-E1

description Long Distance

destination-pattern 901..........

prefix 01

!

dial-peer voice 6 pots

description Toll charge to Local cell phone

destination-pattern 9044..........

port 0/0/0:1

prefix 044

!

dial-peer voice 7 pots

trunkgroup Telmex-E1

description Toll charge to Long distance cell phone

destination-pattern 9045..........

prefix 045

!

dial-peer voice 8 pots

description Local calls

destination-pattern 9[1-9].......

port 0/0/0:1

!        

dial-peer voice 9 pots

description Information

destination-pattern 9040

port 0/0/0:1

prefix 040

!        

**EPHONE CONFIGURATION

ephone-template  1

lpcor type local

lpcor incoming end-users

ephone  65

mac-address 6C50.4DDB.353A

ephone-template 1

username "receptionist"

type 7962 addon 1 7915-24

button  1:100

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

I don't even know or what to know what lpcors are!

Welcome again!

I didnt either...until this client wanted this feature. Its a new feature introduced in CME 8.5/8.6. LPCors are much like regular CORs except they help in the embedded auth application to authorize a user to place a call based on the code entered...

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

Hello. I have FAC configuration and it's working fine. But i have a question how can i restrict all another phone calling through International dial-peer.For example- if you don't have lpcor outgoing AllUser you can't use International dial-peer. It's need for security from malicious calling.

=======================

voice lpcor enable
voice lpcor custom
group 10 AllUser
 
 voice lpcor policy AllUser
 service fac
 accept AllUser fac

application
 package auth
  param passwd-prompt flash://enter_pin.au
  param term-digit #
  param passwd 78423
  param user-prompt flash://enter_account.au
  param abort-digit *
  param max-digits 32

dial-peer voice 103 voip
 description -=International=-
 preference 1
 destination-pattern 810T
 lpcor outgoing AllUser
 session protocol sipv2
 session target ipv4:192.168.33.187
 incoming called-number 810T
 dtmf-relay h245-alphanumeric
 no vad

  ephone  1
 lpcor type local
 lpcor incoming AllUser
 lpcor outgoing AllUser
 mac-address 0015.6387.9DA8
 but

ephone  2
mac-address 001C.58A2.3B64
button  1:2ton  1:1

 

Dear Askil,

 

Here in our organization, we use Translation Pattern for International Calling. Every department (Finance, Accounts, HR), etc. have a code that they need to dial everytime they need to do an International Call. This way on our Call Accounting System, we filter and get to know who has called whom and which IP Phone has entered which code.

Ex. 

voice translation-rule 2
 rule 1 /^912345\(.*\)/ /020\1/
 rule 2 /^967890\(.*\)/ /020\1/
!
!
voice translation-profile ild
 translate called 2
!

 

Since we use a calling card for International calling, the code and dial-prefix are replaced with 020. You can modify the translation pattern accordingly.

 

Hope this helps.

 

Best Regards,

Ganesh

 

Thank you for answering. May be this variant will be good for me.

Hello all,

I am in stage of deploying fac in cme 10.5 to restrict international calls only and I am facing the same issue as the initial post of this thread, also the prompt plays sometime and sometime it by pass the prompt and connect international call direct. Can any body review my config and advise suggestion please ?

Following is my config & debug:

!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
aaa session-id common

voice lpcor enable
voice lpcor custom
 group 10 ild
!
voice lpcor policy ild
 service fac
 accept ild fac
!

!
application
 package auth
  param max-retries 0
  param passwd-prompt flash:enter_pin.au
  param abort-digit *
  param term-digit #
  param user-prompt flash:enter_account.au
  param passwd 12345
  param max-digits 32
 !
!
 service clid_authen_collect
  param uid-len 4
  param pin-len 4
 !

username 1234 password 7 040A59555B
!

gw-accounting aaa
!
dial-peer cor custom
 name local
 name national
 name mobile
 name intl
 name fac-int
!
!
dial-peer cor list call-local
 member local
!
dial-peer cor list call-national
 member national
!
dial-peer cor list call-mobile
 member mobile
!
dial-peer cor list call-intl
 member intl
!
dial-peer cor list normal-user
 member local
!

!
dial-peer cor list fac-int
member fa-int

!
dial-peer cor list executive-user
 member local
 member national
 member mobile
!
dial-peer cor list intl-user
 member local
 member national
 member mobile
 member intl
!
dial-peer cor list fac-int
 member local
 member national
 member mobile
 member intl
 member fac-int
!

!
dial-peer voice 50 voip  <-------- Is it necessary to create voip dial-peer ?
 corlist incoming fac-int
 corlist outgoing fac-int
 description ****INTL Dialing****
 service clid_authen_collect
 destination-pattern 900T
 session target ipv4:10.119.3.2
 incoming called-number 900T
 dtmf-relay h245-alphanumeric
 codec g711ulaw
 no vad
!
!
dial-peer voice 5 pots
 corlist outgoing fac-int
 description ****INTL Dialing****
 destination-pattern 900T
 port 0/0/0:15
 prefix 00
!

!
ephone-dn  70  octo-line
 number 8770
 label CIPC
 name CIPC
 corlist incoming fac-int

!

!
ephone  70
 lpcor type local
 lpcor incoming ild
 device-security-mode none
 description DXB CIPC
 mac-address XXXX.XXXX.XXXX
 busy-trigger-per-button 1
 type CIPC
 button  1:70
!

Following are some logs:

190792: Jun 22 10:54:05.302: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_ipaddress:
   ipaddress 10.119.3.77; vrf=0, host=; subnet_type=3
190793: Jun 22 10:54:05.302: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_ipaddress:
   Found lpcor index 0 for ipaddress 10.119.3.77
190794: Jun 22 10:54:05.302: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_peer:
   peer tag 40002, direction 0
190795: Jun 22 10:54:05.302: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_peer:
   Return Lpcor Index 0 for Peer Tag 40002
190796: Jun 22 10:54:39.430: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_name:
   lpcor ild
190797: Jun 22 10:54:39.430: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_name:
   lpcor ild index 10
190798: Jun 22 10:54:42.886: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_peer:
   peer tag 40002, direction 1
190799: Jun 22 10:54:42.886: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_peer:
   Return Lpcor Index 0 for Peer Tag 40002
190800: Jun 22 10:54:48.490: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_ipaddress:
   ipaddress 10.119.3.2; vrf=0, host=; subnet_type=3
190801: Jun 22 10:54:48.490: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_ipaddress:
   Found lpcor index 0 for ipaddress 10.119.3.2

Regards,

Hello All,

The issue has been resolved. 

Detailed Explanation:

application

service clid_authen_collect

  param uid-len 3

  param pin-len 3

in this example the Account and PIN are three digits long).  This forces a user id and pid length

aaa new-model

aaa authentication login h323 local

aaa authorization exec h323 local

aaa authorization network h323 local

username 201 password 123

username 201 autocommand exit

username 202 password 321

username 202 autocommand exit

** The "autocommand" option for the username, immediately logs out the user from the CME if these credentials are used for Telnet or SSH. The idea is to prevent a DOS attack on the unit if a malicious source were to monopolize the terminal (VTY) sessions. Please notice that if you have EZVPN server set up, these usernames could be used to access the system, in which case implementeting the FAC configuration at all is emphatically discouraged. Alternatively, you could use an access class to prevent the FAC users from connecting to the CME via telnet or SSH.

Then create dial-peers and translation pattern as required (example below)

!
voice translation-rule 1
rule 1 /^9\(.*\)/ /\1/
!


voice translation-profile ild
translate called 1
!

dial-peer voice 5 pots
corlist outgoing fac-int
description ****INTL Dialing****
preference 5
destination-pattern 900T
port 0/0/0:15
forward digits all



dial-peer voice 50 voip
corlist incoming fac-int
corlist outgoing fac-int
description ****INTL Dialing****
service clid_authen_collect
destination-pattern 900T
session target ipv4:x.x.x.x (CME IP Address)
incoming called-number 900T
dtmf-relay h245-alphanumeric
codec g711ulaw
no vad

Now, the above configuration enforces FAC usage for any caller trying to dial an international number.
In order to partition the dialplan, so some callers can go through without having to enter an username and password,
while others are still required to enter the credentials, more Class of Restriction Lists need to be configured.

Assuming the following:

- Extension 201 (ephone-dn 1) is a VIP caller and wants to dial without having to authenticate.

- Extension 202 (ephone-dn 2) is a regular caller and he has to go through the validation.


dial-peer cor custom

name international-fac

!

dial-peer cor list call-international-fac

member international-fac

!

dial-peer cor list user-international-fac

member internal
member local
member domestic
member international-fac
!
dial-peer voice 50 voip
corlist incoming call-international-fac - these lines have already been added in the dial peer above
corlist outgoing call-international-fac - these lines have already been added in the dial peer above
!
ephone-dn 1
corlist incoming user-international
!
ephone-dn 2
corlist incoming user-international-fac
!

Regards,

Venkitesh

Hi men

do you have some config example of LPCOR that creating category call users, for example: CAT 1 = local, mobile, LD,

CAT 2= local only and them asing to a ephone user.

thanks

are you trying to do LD codes and  various Class of restrictions for different users ? I think LPCOrs will  work only with this scrip tin place to authenticate fac...(again this is  such a new feature i cant authoritatively speak about it). Also i m  pretty sure you can use LPCORs for long distance authentication but at  same time use regular cors to restrict callers.....so cor lists will be  used to decide who gets to call what, while LPCors will be used to  restrict callers from calling LD calls..by forcing them to enter a  code...again this is all in theory...i have not tested this...

here is a good link to regular CORs..

http://www.cisco.com/en/US/tech/tk652/tk90/technologies_configuration_example09186a008019d649.shtml

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

Hi thisisshanky

thanks for the answer, do you think that i can mix COR and LPCOR? 

I believe so, although i have not tested this functionality...

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

Yep, I've been trying to do the same with LPCors without any success... Is there a way (using only one trunk group) to ask for authentication ONLY for LD's and International calls but not for the local calls?

I mean there will be some users that will need to authenticate also for local calls but I can't seem to understand how this works for different types of users using a single trunkgroup...

THANKS!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: