Cisco Support Community
Community Member

Cisco VoIP Phone Authentication

Is there any Security possibilities available for Cisco IP Phones, like a Keypad locking or PIN system where the user can lock his phone from others making International or cellphone calls from his phone.

I have heard of Cyberdata Corporation having a Magnetic Card Reader that can be attached to Cisco IP Phones. Similarly are there any Smart Card Readers that can be attached to Cisco IP Phones for Authentication. All suggestions are welcome. Thanks in Advance.


Re: Cisco VoIP Phone Authentication

if u use callmanager

follow the following

Creating Forced Authorization Codes

Earlier in this book, you learned how CSS and partitions are used to allow and restrict calls from being placed to certain destinations. The problem with CSS and partitions is that they are based on the device from which the call is being placed, not from the person who is making the call. In new versions of CallManager, you can use Forced Authorization Codes (FACs) to allow calls to be placed based on a code that is entered. This means that the call is permitted or prohibited based on who is calling and not the device from which they are calling.

It works this way: when a call is placed that requires an authorization code, a double beep is heard that alerts the caller to enter the code. After the code is entered, the call is completed.

Enabling FACs requires that FACs exist and that the route patterns that are to be restricted are configured to require an FAC. The following steps show how to accomplish both of these tasks.

Create a Forced Authorization Code

Step 1. From within CCMAdmin, select Feature>Forced Authorization Code.

Step 2. Click the Add a New Forced Authorization Code link.

In the Authorization Code field, enter a numeric code. This is the code a caller will have to enter to place calls that require authorization.

Step 5. In the Authorization Level field, enter a numeric value between 0 and 255. This value determines the authorization level of this code. In order for the code to allow a call, the value in this field must be equal to or greater than the value assigned to the pattern.

Step 6. Click the Insert button to add this code

Assign a Forced Authorization Code to a Route Pattern

Step 1. From within CCMAdmin, select Route Plan>Route/Hunt>Route Pattern.

Step 2. Enter search criteria in the search field to limit the results and click the Find button.

Step 3. From the list that displays, select the route pattern to which you wish to add an FAC.

Step 4. Check the Require Forced Authorization Code box and enter a numeric value in the Authorization Level field. This value is used to determine which FACs have the right to use this pattern. An FAC must have a value equal to or greater than this value in order to

Step 5. Click the Update button to apply FAC to this pattern.

Step 6. Repeat these steps for all other route patterns on which you wish to enable FAC.

also there is

Configuring Client Matter Codes

Another commonly requested feature is Client Matter Codes (CMC). This allows a caller to enter a client code while placing a call, so the call is associated with a client. Companies that bill customers for time spent on projects, such as lawyers, require this feature.

The process to enable CMCs is very similar to that of configuring FACs. First CMCs must be created and then route patterns need to be configured to require CMCs. The following steps walk you through both processes.

Create a Client Matter Code

Step 1. From within CCMAdmin, select Feature>Client Matter Code.

Step 2. Click the Add a New Client Matter Code link.

source is Cisco press

good luck

please if helpful rate

Community Member

Re: Cisco VoIP Phone Authentication

FAC is an ok solution, but most people will not want to insert codes all the time. There is a third party solution where the user can lock the phone entirely(except emergency numbers)when they are not there. It might be closer to what you are looking for. I know of multiple locations with this installed, and so far the customers have had no complaints.

Cisco Employee

Re: Cisco VoIP Phone Authentication

Andtek's Phone Lock feature looks nice. Another option might be to use Extension Mobility, where the logged in profile loads a user's normal phone configuration, and the logged out profile loads a restricted profile on the phone.



Community Member

Re: Cisco VoIP Phone Authentication

Thanks, all 3 ideas sound superb.

FAC is a really intresting solution, but it has the drawback that users must enter code each time he dials a number.

"AND Phone" is another superb 3rd party solution. But its a complete Lockout :P When I am out of office, any random user must still be able to make calls to other extension numbers (in the office) and local calls (which is free in my country). The phone service only has to lock out to mobile phone calls and International calls.

Finally, using Extension Mobility, it sounds like anyone could make a call using the default login. If FAC could be applied only to Default login - then this could be the solution that I need :)

Any other solutions out there??

What about the second part of my question? Any option for Smart Card Authentication in IP Phones?

Hall of Fame Super Red

Re: Cisco VoIP Phone Authentication

Hi Jenny,

Just to add a note to the great info from Marwan, Michael and Keith, the Default profile that is used on a "non Logged-In" phone with Extension Mobility can be set with a CSS (Calling Search Space) that does not have access to Mobile and International numbers but can call Internal and Local. This way only when you are Logged-In with your Profile will these co$tly numbers be able to be dialed.

The Cisco CallManager Extension Mobility feature allows users to configure any Cisco IP Phone 7940 or Cisco IP Phone 7960 as their own, on a temporary basis, by logging in to that phone. After a user logs in, the phone adopts the user individual user default device profile information, including line numbers,Long distance access, speed dials, services links, and other user-specific properties of a phone. For example, when user A occupies a desk and logs in to the phone, that user's directory number(s), services, speed dials, and other properties appear on that phone; but when user B uses the same desk at a different time, user B's information appears. The Cisco CallManager Extension Mobility feature dynamically configures a phone according to the current user.

From this doc;

Cisco CallManager Extension Mobility

Hope this helps!


CreatePlease to create content