Hi Avinash,
Check these threads
https://supportforums.cisco.com/thread/2089663
https://supportforums.cisco.com/thread/2074398
And also a clip posted on CSC for FAC.
===========================================================================
Please do go through the steps. Hope this helps.
FAC (Forced Authorization Code) ā LPCOR for SIP & SCCP Phones
Before Defining LPCOR, please keep in mind that; Enable LPCOR functionality and define a policy for each resource group that requires call restrictions. You can define one LPCOR policy for each resource group. Do not create a LPCOR policy for resource groups that do not require call restrictions. Maximum of the procedures are same as configuring dial-peer COR list.
voice lpcor enable
// Enabling the lpcor functionality on the Cisco Unified CME router.
voice lpcor custom
// Defines the name and number of LPCOR resource groups on the Cisco Unified CME router.
group 10 ild
// Adds an LPCOR resource group to the custom resource list.
numberāGroup number of the LPCOR entry. Range: 1 to 64.
lpcor-groupāString that identifies the LPCOR resource group.
voice lpcor policy ild
// Creates a LPCOR policy for a resource group.
lpcor-groupāName of the resource group that you defined above (in our example ild).
service fac
// Enable FAC Service for a routing endpoint defined in a LPCOR group policy
accept ild fac
// facāValid Forced Authorization Code that the caller needs to enter before the call is routed to its destination
There is no big point in putting the FAC command after accept ild because, even if you do not put the fac, it will still ask you for an authorization code. Reason, you will know, when you read the configuration below.
If you create any other group say Ex. group local, in the same voice lpcor custom and do not enter it in the lpcor policy ild, it will get rejected (even before the process to ask for a code & pin). Calls will not even pass through the trunk.
The steps for accept and reject is configured, when you have more than 2/3 groups & 3/4 different gateways / trunks and you do not want anybody else (apart from the ones you have configured to accept) to pass through a specific trunk.
* Create only those groups that you need to be asked for an authorization code. Donāt get confused.
Just look at the Example of show voice lpcor policy below. The ones that the output shows as reject, will not be allowed to make calls from that trunk which is allowed for a particular group. It means, that only groups Manger & PSTNTrunk will be allowed to make calls (by putting an id & pin). Local Users, Remote Users, & IP Trunk users will not be allowed to make calls. Their calls will be rejected & they will get a fast busy tone.
Router# show voice lpcor policy
voice lpcor policy PSTNTrunk (group 13):
service fac is enabled
( accept ) Manager (group 10)
( reject ) LocalUser (group 11)
( reject ) RemoteUser (group 12)
( accept ) PSTNTrunk (group 13)
( reject ) IPTrunk (group 14)
Defining Parameters for Authorization Package:
enable
configure terminal
application
// Enters the application configuration mode.
package auth
// Enters package authorization configuration mode.
param passwd-prompt flash:enter_pin.au
// Allows you to enter the password parameters required for package authorization for FAC authentication
passwd-prompt filename ā Plays an audio prompt requesting the caller to enter a valid password (in digits) for authorization
param max-retries 0
// Specifies number of attempts to re-enter an account or a password ā default value 0
param user-prompt flash:enter_account.au
// Allows you to enter the user name parameters required for package authorization for FAC authentication.
user-prompt filename ā Plays an audio prompt requesting the caller to enter a valid username (in digits) for authorization
param term-digit #
// Specifies digit for terminating an account or a password digit collection. You have to press # after you have input your id and then put your pin and press #. # is the terminator to make the CME understand that you have finished entering your ID / PIN.
param passwd 12345
// Character string that defines a predefined password for authorization. Note: Password digits collection is optional if password digits are predefined in the param passwd command.
param abort-digit *
//Specifies the digit for aborting username or password digit input. Default value is *.
param max-digits 32
//Maximum number of digits in a username or password. Range of valid value: 1 - 32. Default value is 32.
You have to configure the aaa to force the FAC for Code and PIN:
gw-accounting aaa
!
aaa new-model
!
aaa authentication login default local
aaa authentication login h323 local
aaa authorization exec h323 local
aaa authorization network h323 local
!
aaa session-id common
Define the Username & Password:
username 786 password 0 54321
username 678 password 0 12345
Configuring the LPCOR with Ephone-DNs:
ephone-dn 1 dual-line
number 1002
label Ganesh
ephone 1
lpcor type local
// Sets the LPCOR type for an IP phone.
ā¢ localāIP phone always registers to Cisco Unified CME through the LAN.
ā¢ remoteāIP phone always registers to Cisco Unified CME through the WAN.
lpcor incoming ild
// Associates a LPCOR resource-group policy with an incoming call
Note: Do not use different lpcor group policies for a shared ephone-dn.
device-security-mode none
mac-address 0005.9A3C.7A00
type CIPC
button 1:1
Same is used for SIP Phones:
voice register pool 2
lpcor type remote
lpcor incoming ild
id mac 0030.94C2.9A55
type 7960
number 1 dn 2
dtmf-relay rtp-nte sip-notify
Note: If you do not put rtp-nte, it will skip the process of asking for the Authorization Code and you will not be able to make any calls
Configuring the LPCORs with the ISDN (BRI / PRI) Ports:
The Example Provided below is my BRI Configuration:
This Voice Port 0/1/0 ā is used for Local Calls only without any authorization codes
voice-port 0/1/0
disc_pi_off
input gain -6
echo-cancel mode 2
mwi
no vad
compand-type a-law
cptone FR
timeouts call-disconnect 1
connection plar 1000
threshold noise -60
bearer-cap Speech
This Voice Port 0/1/1 ā is used for only International Calls with authorization codes:
voice-port 0/1/1
lpcor outgoing ild ā (Defined the LPcor outgoing in voice-port 0/1/1 ā dedicated for ILD ā Long Distance)
disc_pi_off
input gain -6
echo-cancel mode 2
mwi
no vad
compand-type a-law
cptone FR
timeouts call-disconnect 1
connection plar 1000
threshold noise -60
bearer-cap Speech
Note: The biggest problem in an Environment / Scenario where we use lpcor is that we have to block dedicatedly one trunk / BRI / PRI port specifically only for ILDs (Calls with Authorization) and the 2nd line/trunk for Calls that don't need Authorization
Complete Configuration of LPcor in Short - Example:
voice lpcor enable
!
voice lpcor custom
group 10 ild
voice lpcor policy ild
service fac
accept ild fac
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login h323 local
aaa authorization exec h323 local
aaa authorization network h323 local
!
!
aaa session-id common
!
!
application
package auth
param passwd-prompt flash:enter_pin.au
param max-retries 0
param user-prompt flash:enter_account.au
param term-digit #
param passwd 12345
param abort-digit *
param max-digits 32
!
!
username 786 password 0 54321
!
username 678 password 0 12345
!
!
ephone-dn 1 dual-line
number 1002
label Ganesh
ephone 1
lpcor type local
lpcor incoming ild
device-security-mode none
mac-address 0005.9A3C.7A00
type CIPC
button 1:1
!
!
voice register dn 2
number 4001
name cme-sip-2
label 4001
!
!
voice register pool 2
lpcor type remote
lpcor incoming ild
id mac 0030.94C2.9A55
number 1 dn 2
dtmf-relay rtp-nte sip-notify
voice-class codec 1
!
!
voice-port 0/1/0
disc_pi_off
input gain -6
echo-cancel mode 2
mwi
no vad
compand-type a-law
cptone FR
timeouts call-disconnect 1
threshold noise -60
bearer-cap Speech
!
!
!
voice-port 0/1/1
lpcor outgoing ild
disc_pi_off
input gain -6
echo-cancel mode 2
mwi
no vad
compand-type a-law
cptone FR
timeouts call-disconnect 1
threshold noise -60
bearer-cap Speech
Apart from these, you need to configure dial-peer cors, dial-plan pattern, translation pattern and other configuration as usual.
Note: There are lots of issues, mistakes and confusion in the Explanation provided in Ciscoās CME Administration Guide for LPCOR ā FAC. Some of them are mismatched / wrongly given both in Detailed Steps as well as the Example provided for FAC (Forced Authorization Code)
Issue ā 1:
There is lot of confusion and mistake in deciding which .au file to be taken for prompting the password and account-id.
There are two steps for this:
1. The first method, is it asks for an account id and the then it asks for the pin number, that should match with the associated username.
a. For this method, you may / may not put the param password #### command. It doesnāt matter.
b. The au files I have selected for this method is: enter_account.au for ID & enter_pin.au for the PIN. This works perfectly fine.
2. The 2nd method ā if you have put the param passwd #### command,
a. Use the userprompt filename as enter_account.au
b. For the param passwd-prompt, use en_bacd_enter_dest.au file.
Once you enter the destination number, your call will get connected, as the password has already been forced into the configuration.
The 2nd Method will work, better for intercom calls (between sites) or Local / STD calls. i.e; when you enter the dial-out prefix (0 / 9) + Local Code & press # It will ask for your Account ID. Enter the Account ID and press #. Then Enter the Destination Number you wish to reach. It will put your call through.
Logically this is correct; but technically wrong; because according to the FAC Configuration / System,
1. It requires & asks for an ID & PIN. You cannot configure just a Username (account name) or a Password alone. It has to be bundled together. Every ID & its respective PIN is entered in Global Configuration Mode. Ex. Router(config)# username 12345 password 12345
2. It asks for ID & PIN only after you have finished dialing. Ex. 0 + International Code + Number. Then it asks you to enter the ID and press #. Then Pin No. and press #. Then the call gets routed to the respective port
So Technically, the 2nd method will not work for International Numbers. What will you dial after it asks to dial the destination code? How will the cme associate the number dialed after putting the dial-out prefix and the number dialed when the FAC asks to enter the Destination Code? Ex. 0 ā 44 # (account id) - Destination Number? It does not work at all. Also it does not make any sense.
Issue ā 2:
There are some confusion in filenames as well. Even the audio provided inside the file, against the filename does not match.
1. en_bacd_welcome.au ā does not ask you for an Account ID. It says āThank you for callingā. What is that supposed to mean?
2. en_bacd_enter_dest.au ā will ask you to provide the destination number you wish to reach. Where is the ID and / or Password asked in a scenario like this?
Issue ā 3:
ephone 1
lpcor type local
// Sets the LPCOR type for an IP phone.
ā¢ localāIP phone always registers to Cisco Unified CME through the LAN.
ā¢ remoteāIP phone always registers to Cisco Unified CME through the WAN.
The IP Phone has nothing to do with registration in this command. With the command lpcor type local, it actually searches for the authorization code locally with radius server from within the CME itself.
And Remote means it searches for the authorization code from a remote aaa server / other CME located in remote site.
I have tried to make the LPCor configuration a bit simple and easy to understand. Hope this helps.
==============================================================
Rate all the helpful post.
Thanks
Manish
