Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

CME forced auth codes in 8.5/8.6

I m referring to this document (which doesnt seem to help me much)..so thought of posting at this forum....

Has any body successfully implemented FAC in CME..

http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmefac.html

i have setup two LPCor groups one for end users and one for PSTN trunks..to test this functionality i put one ephone under the end users group and another ephone in the PSTN trunk group..and when you call from ephone 1 to 2...it asks for the username and password as programmed but then it hangs up the call...

i can post configs if needed...its pretty similar to whats in the document..

TIA..

Everyone's tags (2)
50 REPLIES
Hall of Fame Super Gold

CME forced auth codes in 8.5/8.6

Welcome back shamku!

It can be a script problem. Take "debug voice application script".

Re: CME forced auth codes in 8.5/8.6

Thanks Paolo...its been a while :)..The issue was with the AAA not being enabled. Once AAA and gateway account was enabled everything started working. I have posted a sample config, in case some one needs it...Also LPCOR groups cannot be applied to dial-peers directly so you have to use trunk groups and point dial peers to trunk groups in order to apply LPCORs. So if you only want to block LD and International calls with a FAC code, you will need trunk groups defined and applied to those dial peers. All the non authenticated dial peer will use the port command.

AAA- Config

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login h323 local

aaa authorization exec h323 local

aaa authorization network h323 local

aaa session-id common

gw-accounting aaa

Trunk Group configuration

trunk group Telmex-E1

hunt-scheme least-idle

trunk group lpcor outgoing PSTNTrunk

LPCOR groups -> Feature of CME 8.5

voice lpcor enable

voice lpcor custom

group 10 end-users

group 11 PSTNTrunk

!

voice lpcor policy end-users

service fac

accept end-users fac

accept PSTNTrunk fac

!

voice lpcor policy PSTNTrunk

service fac

accept end-users fac

accept PSTNTrunk fac

**APPLICATION CONFIGURATION THAT AUTHENTICATES USERS**

application

package auth

  param passwd-prompt flash:en_bacd_welcome.au

  param passwd 5555 <----- this is optional and i cant figure out why this is needed..it works with or with out it

  param term-digit #

  param user-prompt flash:en_bacd_enter_dest.au

  param abort-digit *

  param max-digits 32

*LD PIN Configuration**

username 6801 password 0 26621

**MEXICAN DIALPLAN***

controller E1 0/0/0

framing NO-CRC4

ds0-group 1 timeslots 1-15,17-30 type r2-digital r2-compelled ani

cas-custom 1

  country telmex use-defaults

  category 2

  answer-signal group-b 1

  trunk-group Telmex-E1

dial-peer voice 3 pots

description Emergency services

destination-pattern 906.

port 0/0/0:1

prefix 06

!

dial-peer voice 4 pots

trunkgroup Telmex-E1

description International calls

destination-pattern 900T

prefix 00

!

dial-peer voice 5 pots

trunkgroup Telmex-E1

description Long Distance

destination-pattern 901..........

prefix 01

!

dial-peer voice 6 pots

description Toll charge to Local cell phone

destination-pattern 9044..........

port 0/0/0:1

prefix 044

!

dial-peer voice 7 pots

trunkgroup Telmex-E1

description Toll charge to Long distance cell phone

destination-pattern 9045..........

prefix 045

!

dial-peer voice 8 pots

description Local calls

destination-pattern 9[1-9].......

port 0/0/0:1

!        

dial-peer voice 9 pots

description Information

destination-pattern 9040

port 0/0/0:1

prefix 040

!        

**EPHONE CONFIGURATION

ephone-template  1

lpcor type local

lpcor incoming end-users

ephone  65

mac-address 6C50.4DDB.353A

ephone-template 1

username "receptionist"

type 7962 addon 1 7915-24

button  1:100

Hall of Fame Super Gold

Re: CME forced auth codes in 8.5/8.6

I don't even know or what to know what lpcors are!

Welcome again!

CME forced auth codes in 8.5/8.6

I didnt either...until this client wanted this feature. Its a new feature introduced in CME 8.5/8.6. LPCors are much like regular CORs except they help in the embedded auth application to authorize a user to place a call based on the code entered...

New Member

Hello. I have FAC

Hello. I have FAC configuration and it's working fine. But i have a question how can i restrict all another phone calling through International dial-peer.For example- if you don't have lpcor outgoing AllUser you can't use International dial-peer. It's need for security from malicious calling.

=======================

voice lpcor enable
voice lpcor custom
group 10 AllUser
 
 voice lpcor policy AllUser
 service fac
 accept AllUser fac

application
 package auth
  param passwd-prompt flash://enter_pin.au
  param term-digit #
  param passwd 78423
  param user-prompt flash://enter_account.au
  param abort-digit *
  param max-digits 32

dial-peer voice 103 voip
 description -=International=-
 preference 1
 destination-pattern 810T
 lpcor outgoing AllUser
 session protocol sipv2
 session target ipv4:192.168.33.187
 incoming called-number 810T
 dtmf-relay h245-alphanumeric
 no vad

  ephone  1
 lpcor type local
 lpcor incoming AllUser
 lpcor outgoing AllUser
 mac-address 0015.6387.9DA8
 but

ephone  2
mac-address 001C.58A2.3B64
button  1:2ton  1:1

 

New Member

Dear Askil, Here in our

Dear Askil,

 

Here in our organization, we use Translation Pattern for International Calling. Every department (Finance, Accounts, HR), etc. have a code that they need to dial everytime they need to do an International Call. This way on our Call Accounting System, we filter and get to know who has called whom and which IP Phone has entered which code.

Ex. 

voice translation-rule 2
 rule 1 /^912345\(.*\)/ /020\1/
 rule 2 /^967890\(.*\)/ /020\1/
!
!
voice translation-profile ild
 translate called 2
!

 

Since we use a calling card for International calling, the code and dial-prefix are replaced with 020. You can modify the translation pattern accordingly.

 

Hope this helps.

 

Best Regards,

Ganesh

 

New Member

Thank you for answering. May

Thank you for answering. May be this variant will be good for me.

New Member

Hello all,

Hello all,

I am in stage of deploying fac in cme 10.5 to restrict international calls only and I am facing the same issue as the initial post of this thread, also the prompt plays sometime and sometime it by pass the prompt and connect international call direct. Can any body review my config and advise suggestion please ?

Following is my config & debug:

!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
aaa session-id common

voice lpcor enable
voice lpcor custom
 group 10 ild
!
voice lpcor policy ild
 service fac
 accept ild fac
!

!
application
 package auth
  param max-retries 0
  param passwd-prompt flash:enter_pin.au
  param abort-digit *
  param term-digit #
  param user-prompt flash:enter_account.au
  param passwd 12345
  param max-digits 32
 !
!
 service clid_authen_collect
  param uid-len 4
  param pin-len 4
 !

username 1234 password 7 040A59555B
!

gw-accounting aaa
!
dial-peer cor custom
 name local
 name national
 name mobile
 name intl
 name fac-int
!
!
dial-peer cor list call-local
 member local
!
dial-peer cor list call-national
 member national
!
dial-peer cor list call-mobile
 member mobile
!
dial-peer cor list call-intl
 member intl
!
dial-peer cor list normal-user
 member local
!

!
dial-peer cor list fac-int
member fa-int

!
dial-peer cor list executive-user
 member local
 member national
 member mobile
!
dial-peer cor list intl-user
 member local
 member national
 member mobile
 member intl
!
dial-peer cor list fac-int
 member local
 member national
 member mobile
 member intl
 member fac-int
!

!
dial-peer voice 50 voip  <-------- Is it necessary to create voip dial-peer ?
 corlist incoming fac-int
 corlist outgoing fac-int
 description ****INTL Dialing****
 service clid_authen_collect
 destination-pattern 900T
 session target ipv4:10.119.3.2
 incoming called-number 900T
 dtmf-relay h245-alphanumeric
 codec g711ulaw
 no vad
!
!
dial-peer voice 5 pots
 corlist outgoing fac-int
 description ****INTL Dialing****
 destination-pattern 900T
 port 0/0/0:15
 prefix 00
!

!
ephone-dn  70  octo-line
 number 8770
 label CIPC
 name CIPC
 corlist incoming fac-int

!

!
ephone  70
 lpcor type local
 lpcor incoming ild
 device-security-mode none
 description DXB CIPC
 mac-address XXXX.XXXX.XXXX
 busy-trigger-per-button 1
 type CIPC
 button  1:70
!

Following are some logs:

190792: Jun 22 10:54:05.302: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_ipaddress:
   ipaddress 10.119.3.77; vrf=0, host=; subnet_type=3
190793: Jun 22 10:54:05.302: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_ipaddress:
   Found lpcor index 0 for ipaddress 10.119.3.77
190794: Jun 22 10:54:05.302: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_peer:
   peer tag 40002, direction 0
190795: Jun 22 10:54:05.302: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_peer:
   Return Lpcor Index 0 for Peer Tag 40002
190796: Jun 22 10:54:39.430: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_name:
   lpcor ild
190797: Jun 22 10:54:39.430: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_name:
   lpcor ild index 10
190798: Jun 22 10:54:42.886: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_peer:
   peer tag 40002, direction 1
190799: Jun 22 10:54:42.886: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_peer:
   Return Lpcor Index 0 for Peer Tag 40002
190800: Jun 22 10:54:48.490: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_ipaddress:
   ipaddress 10.119.3.2; vrf=0, host=; subnet_type=3
190801: Jun 22 10:54:48.490: //-1/xxxxxxxxxxxx/LPCOR/lpcor_get_index_by_ipaddress:
   Found lpcor index 0 for ipaddress 10.119.3.2

Regards,

New Member

Hello All,

Hello All,

The issue has been resolved. 

Detailed Explanation:

application

service clid_authen_collect

  param uid-len 3

  param pin-len 3

in this example the Account and PIN are three digits long).  This forces a user id and pid length

aaa new-model

aaa authentication login h323 local

aaa authorization exec h323 local

aaa authorization network h323 local

username 201 password 123

username 201 autocommand exit

username 202 password 321

username 202 autocommand exit

** The "autocommand" option for the username, immediately logs out the user from the CME if these credentials are used for Telnet or SSH. The idea is to prevent a DOS attack on the unit if a malicious source were to monopolize the terminal (VTY) sessions. Please notice that if you have EZVPN server set up, these usernames could be used to access the system, in which case implementeting the FAC configuration at all is emphatically discouraged. Alternatively, you could use an access class to prevent the FAC users from connecting to the CME via telnet or SSH.

Then create dial-peers and translation pattern as required (example below)

!
voice translation-rule 1
rule 1 /^9\(.*\)/ /\1/
!


voice translation-profile ild
translate called 1
!

dial-peer voice 5 pots
corlist outgoing fac-int
description ****INTL Dialing****
preference 5
destination-pattern 900T
port 0/0/0:15
forward digits all



dial-peer voice 50 voip
corlist incoming fac-int
corlist outgoing fac-int
description ****INTL Dialing****
service clid_authen_collect
destination-pattern 900T
session target ipv4:x.x.x.x (CME IP Address)
incoming called-number 900T
dtmf-relay h245-alphanumeric
codec g711ulaw
no vad

Now, the above configuration enforces FAC usage for any caller trying to dial an international number.
In order to partition the dialplan, so some callers can go through without having to enter an username and password,
while others are still required to enter the credentials, more Class of Restriction Lists need to be configured.

Assuming the following:

- Extension 201 (ephone-dn 1) is a VIP caller and wants to dial without having to authenticate.

- Extension 202 (ephone-dn 2) is a regular caller and he has to go through the validation.


dial-peer cor custom

name international-fac

!

dial-peer cor list call-international-fac

member international-fac

!

dial-peer cor list user-international-fac

member internal
member local
member domestic
member international-fac
!
dial-peer voice 50 voip
corlist incoming call-international-fac - these lines have already been added in the dial peer above
corlist outgoing call-international-fac - these lines have already been added in the dial peer above
!
ephone-dn 1
corlist incoming user-international
!
ephone-dn 2
corlist incoming user-international-fac
!

Regards,

Venkitesh

New Member

CME forced auth codes in 8.5/8.6

Hi men

do you have some config example of LPCOR that creating category call users, for example: CAT 1 = local, mobile, LD,

CAT 2= local only and them asing to a ephone user.

thanks

CME forced auth codes in 8.5/8.6

are you trying to do LD codes and  various Class of restrictions for different users ? I think LPCOrs will  work only with this scrip tin place to authenticate fac...(again this is  such a new feature i cant authoritatively speak about it). Also i m  pretty sure you can use LPCORs for long distance authentication but at  same time use regular cors to restrict callers.....so cor lists will be  used to decide who gets to call what, while LPCors will be used to  restrict callers from calling LD calls..by forcing them to enter a  code...again this is all in theory...i have not tested this...

here is a good link to regular CORs..

http://www.cisco.com/en/US/tech/tk652/tk90/technologies_configuration_example09186a008019d649.shtml

New Member

CME forced auth codes in 8.5/8.6

Hi thisisshanky

thanks for the answer, do you think that i can mix COR and LPCOR? 

CME forced auth codes in 8.5/8.6

I believe so, although i have not tested this functionality...

New Member

Re: CME forced auth codes in 8.5/8.6

Yep, I've been trying to do the same with LPCors without any success... Is there a way (using only one trunk group) to ask for authentication ONLY for LD's and International calls but not for the local calls?

I mean there will be some users that will need to authenticate also for local calls but I can't seem to understand how this works for different types of users using a single trunkgroup...

THANKS!

New Member

Re: CME forced auth codes in 8.5/8.6

Hello shamku,

I'm facing the same problem you have earlier, "

it asks for the username and password as programmed but then it hangs up the call..."

I have review the AAA section of my configuration it is the same exactly like you mentioned here and similar to the example of the Cisco documentation, but still the call is hangs up.

Any idea?

I have try some debug command, and got the following:

Aug 19 22:23:20.924: //850//Auth:/AUTH_ProcessAuthFailure: Auth operation Failed

Aug 19 22:23:20.924: //850//Auth:/AUTH_Close: status(2)

Aug 19 22:23:20.924: //-1//Auth:/AUTH_SetAuthFacData:

Aug 19 22:23:20.924: //-1//Auth:/AUTH_FacDataIsAvailable:

Aug 19 22:23:20.924: //850//Auth:/AUTH_Complete: Auth Returning 2 [AUTH_STATUS_FAILED]:  use_count(3)

Aug 19 22:23:20.928: //-1//Auth:HN006C9510:/AFW_M_Auth_Free:

Thanks!

CME forced auth codes in 8.5/8.6

Did you re-record the wave files properly in the g711ulaw 8bit mono  format...when the file formats were wrong i noticed that this was not  functioning properly...

Also please paste your configs, i can take a look at it...

New Member

Re: CME forced auth codes in 8.5/8.6

Hi shamku,

Thank you for your reply!

I have used some Cisco files for audio. I guess they are ok.

enter_account.au

enter_pin.au

Codec Details for these files are as follow:

Codec: PCM MU-LAW (mlaw)

Channels: Mono

Sample rate: 8000 Hz

Bits per sample: 16

I will attach the configuration shortly as soon as I get back to office.

Regards,

Tarik

New Member

Re: CME forced auth codes in 8.5/8.6

Thanks Man,

This helped alot! Working at one of our remote brnaches thanks to your configs.

Phil

New Member

CME forced auth codes in 8.5/8.6

thisisshanky - have you noticed in your config the following:

trunk group lpcor outgoing PSTNTrunk

This is not how you entered the command.

The entered command is just

trunk group XXX

   lpcor outgoing PSTNTrunk

For some reason IOS is changing the command in the config to what you have. When you reboot, your FACs won't work as IOS will not understand "trunk group lpcor outgoing PSTNTrunk"

I've had that issue just recently. Wondering if it's fixed in newer code. I think I was on 15.1 M1 Anyone else seen it?

CME forced auth codes in 8.5/8.6

You are right John

I did notice the same problem with the customer and right now as we speak we manually re-enter the command if router is rebooted. I am not sure if a later code has fixed this, yet to try..best open a tac case..

New Member

CME forced auth codes in 8.5/8.6

I'll try a newer version of code in my lab. I checked the bug toolkit but didn't see anything related. My customers system is completely isolated from their data network down to the copper so the only way for me to open a TAC case and get anywhere is to be onsite with the box so a TAC case isn't optimal for me as I don't have the cycles to sit there or any way to cost recover my time

New Member

CME forced auth codes in 8.5/8.6

BTW - with the param passwd, if you leave out the param passwd-prompt command, set the param passwd to a value and create all your numeric user accounts with the same password as what you have specified as param passwd, the auth application skips the password check so instead of needing userid and password, the caller only needs userid. Basically, means single stage authentication code like CUCM. Much nicer and easier for users to accept when coming from a different system.

CME forced auth codes in 8.5/8.6

wow thats a great find, i was wondering how to do that...good to know..

New Member

Dear ,         Can you please

Dear ,

 

        Can you please givr me working example for this as I do have same request  to use single pin authentication in CME 9.X .

 

Thanks

 

Praveen

CME forced auth codes in 8.5/8.6

Hi thisisshanky, I tested your script and it works well with FXO lines connected to PSTN.

But when I tested it using E1 primary the call end inmediately after ingress user and password.

This is the disconnect cause code: Service or option not available, or unspecified (63)

New Member

CME forced auth codes in 8.5/8.6

Hello Jorge,

We are having 2 BRI Lines & 1 PRI Line in our Office and it works perfectly fine. In fact, we have kept the PRI for Local Calling (Local + STD) & the 2 BRI Lines for only ILD Calling. If you need, I will be pasting the configuration for you. Let me know. We are using LPCOR & COR Together. It works perfectly fine.

Regards,

Ganesh

Re: CME forced auth codes in 8.5/8.6

Ganesh,

Could you send us your configuration?

Thanks a lot.

Jorge Covenas

Venkitesh H Iyer

created the discussion

"Re: CME forced auth codes in 8.5/8.6"

To view the discussion, visit:

https://supportforums.cisco.com/message/3575951#3575951

New Member

Re: CME forced auth codes in 8.5/8.6

Hi Jorge,

Sorry for the delay. I am busy with 4 different projects in my Company. Here is the Configuration. I am attaching it in a text file.

Do let me know, if there is any issue.

New Member

CME forced auth codes in 8.5/8.6


thisisshanky:

You will have the full configutracion, I can provide a copy

Thanks

10883
Views
27
Helpful
50
Replies