Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

lpcor FAC issue on voice ports in CME.8.5

Dear all,

I have implemented the FAC using lpcor in cme 8.5 . As per my current setup i have 2 service provider links terminated in my cme  one is Analog lines & other is SIP link. my requirement is that i need some ext to have fac while dialing  international number  over sip & FXo lines. I am able to achive the same with SIP trunk while dialing  international numbers, but while configuring the the same on Voice-ports it is prompting fac for all outgoing calls. I need for international calls only.below is my current configuration

voice port configuration

voice-port 0/1/0

lpcor outgoing Fac-International

supervisory disconnect dualtone mid-call

supervisory custom-cptone STC

input gain 5

output attenuation 5

echo-cancel coverage 32

cptone BR

timeouts call-disconnect 3

timeouts ringing 5

timeouts wait-release 5

timing hookflash-out 500

connection plar 111

caller-id enable

caller-id alerting line-reversal

caller-id alerting dsp-pre-allocate

dial-peer voice 1002 pots

corlist outgoing userFac

description *** FAC_INTRENATIONAL ****

translation-profile outgoing STC

preference 10

service clid_authen_collect

destination-pattern 9.T

port 0/1/0

forward-digits all

voice lpcor policy Fac-International

service fac

accept Prince

accept Fac-International fac

accept operator

dial-peer cor list userFac

member Internal

member local

member national

member emergency

member toll-free

member Fac

member Prince

ephone-dn 21 dual-line

no call-waiting beep accept

call-waiting ring

number 115

label 115

description Family Villa

name Family Villa

allow watch

corlist incoming userFac

voice-port 0/1/0

lpcor outgoing Fac-International

supervisory disconnect dualtone mid-call

supervisory custom-cptone STC

input gain 5

output attenuation 5

echo-cancel coverage 32

cptone BR

timeouts call-disconnect 3

timeouts ringing 5

timeouts wait-release 5

timing hookflash-out 500

connection plar 111

caller-id enable

caller-id alerting line-reversal

caller-id alerting dsp-pre-allocate

Pots dial-peer configuration

dial-peer voice 1002 pots
corlist outgoing userFac
description *** FAC_INTRENATIONAL ****
translation-profile outgoing STC
preference 10
service clid_authen_collect
destination-pattern 9.T
port 0/1/0
forward-digits all

Lpcor Fac policy

voice lpcor policy Fac-International
service fac
accept Prince
accept Fac-International fac
accept operator

CORLIST

dial-peer cor list userFac
member Internal
member local
member national
member emergency
member toll-free
member Fac
member Prince

Ephone configuration

ephone-dn 21 dual-line

no call-waiting beep accept

call-waiting ring

number 115

label 115

description Family Villa

name Family Villa

allow watch

corlist incoming userFac

ephone 21

lpcor type local

lpcor incoming Fac-International

lpcor outgoing Fac-International

mac-address 04C5.A44D.5838

paging-dn 555

type 7965

button 1:21

1 REPLY
New Member

Re: lpcor FAC issue on voice ports in CME.8.5

Hi,

You have messed up with lots of things in your configuration. If you are using lpcor, you should not use the service_clid_ commands. Service_clid_authen & collect, are used only if you are using sccp phones. But when you are using lpcors, it applies for both SCCP & SIP Phones but; you will have to have a dedicated line only for the users whom you need to be authenticated. I hope this helps.

FAC (Forced Authorization Code) – LPCOR for SIP & SCCP Phones

Before Defining LPCOR, please keep in mind that; Enable LPCOR functionality and define a policy for each resource group that requires call restrictions. You can define one LPCOR policy for each resource group. Do not create a LPCOR policy for resource groups that do not require call restrictions. Maximum of the procedures are same as configuring dial-peer COR list.

voice lpcor enable

// Enabling the lpcor functionality on the Cisco Unified CME router.

voice lpcor custom

// Defines the name and number of LPCOR resource groups on the Cisco Unified CME router.

group 10 ild

// Adds an LPCOR resource group to the custom resource list.

number—Group number of the LPCOR entry. Range: 1 to 64.

lpcor-group—String that identifies the LPCOR resource group.

voice lpcor policy ild

// Creates a LPCOR policy for a resource group.

lpcor-group—Name of the resource group that you defined above (in our example ild).

service fac

// Enable FAC Service for a routing endpoint defined in a LPCOR group policy

accept ild fac

// fac—Valid Forced Authorization Code that the caller needs to enter before the call is routed to its destination

There is no big point in putting the FAC command after accept ild because, even if you do not put the fac, it will still ask you for an authorization code. Reason, you will know, when you read the configuration below.

If you create any other group say Ex. group local, in the same voice lpcor custom and do not enter it in the lpcor policy ild, it will get rejected (even before the process to ask for a code & pin). Calls will not even pass through the trunk.

The steps for accept and reject is configured, when you have more than 2/3 groups & 3/4 different gateways / trunks and you do not want anybody else (apart from the ones you have configured to accept) to pass through a specific trunk.

* Create only those groups that you need to be asked for an authorization code. Don’t get confused.

Just look at the Example of show voice lpcor policy below. The ones that the output shows as reject, will not be allowed to make calls from that trunk which is allowed for a particular group. It means, that only groups Manger & PSTNTrunk will be allowed to make calls (by putting an id & pin). Local Users, Remote Users, & IP Trunk users will not be allowed to make calls. Their calls will be rejected & they will get a fast busy tone.

Router# show voice lpcor policy

voice lpcor policy PSTNTrunk (group 13):

service fac is enabled

( accept ) Manager (group 10)

( reject ) LocalUser (group 11)

( reject ) RemoteUser (group 12)

( accept ) PSTNTrunk (group 13)

( reject ) IPTrunk (group 14)

Defining Parameters for Authorization Package:

enable

configure terminal

application

// Enters the application configuration mode.

package auth

// Enters package authorization configuration mode.

  param passwd-prompt flash:enter_pin.au

// Allows you to enter the password parameters required for package authorization for FAC authentication

    passwd-prompt filename — Plays an audio prompt requesting the caller to enter a valid password (in digits) for authorization

  param max-retries 0

// Specifies number of attempts to re-enter an account or a password – default value 0

  param user-prompt flash:enter_account.au

// Allows you to enter the user name parameters required for package authorization for FAC authentication.

    user-prompt filename — Plays an audio prompt requesting the caller to enter a valid username (in digits) for authorization

  param term-digit #

// Specifies digit for terminating an account or a password digit collection. You have to press # after you have input your id and then put your pin and press #. # is the terminator to make the CME understand that you have finished entering your ID / PIN.

  param passwd 12345

// Character string that defines a predefined password for authorization. Note: Password digits collection is optional if password digits are predefined in the param passwd command.

  param abort-digit *

//Specifies the digit for aborting username or password digit input. Default value is *.

  param max-digits 32

//Maximum number of digits in a username or password. Range of valid value: 1 - 32. Default value is 32.

You have to configure the aaa to force the FAC for Code and PIN:

gw-accounting aaa

!

aaa new-model

!

aaa authentication login default local

aaa authentication login h323 local

aaa authorization exec h323 local

aaa authorization network h323 local

!

aaa session-id common

Define the Username & Password:

username 786 password 0 54321

username 678 password 0 12345

Configuring the LPCOR with Ephone-DNs:

ephone-dn 1 dual-line

number 1002

label Ganesh

ephone 1

lpcor type local

// Sets the LPCOR type for an IP phone.

local—IP phone always registers to Cisco Unified CME through the LAN.

remote—IP phone always registers to Cisco Unified CME through the WAN.

lpcor incoming ild

// Associates a LPCOR resource-group policy with an incoming call

Note: Do not use different lpcor group policies for a shared ephone-dn.

device-security-mode none

mac-address 0005.9A3C.7A00

type CIPC

button 1:1

Same is used for SIP Phones:

voice register pool 2

lpcor type remote

lpcor incoming ild

id mac 0030.94C2.9A55

type 7960

number 1 dn 2

dtmf-relay rtp-nte sip-notify

Note: If you do not put rtp-nte, it will skip the process of asking for the Authorization Code and you will not be able to make any calls

Configuring the LPCORs with the ISDN (BRI / PRI) Ports:

The Example Provided below is my BRI Configuration:

This Voice Port 0/1/0 – is used for Local Calls only without any authorization codes

voice-port 0/1/0

disc_pi_off

input gain -6

echo-cancel mode 2

mwi

no vad

compand-type a-law

cptone FR

timeouts call-disconnect 1

connection plar 1000

threshold noise -60

bearer-cap Speech

This Voice Port 0/1/1 – is used for only International Calls with authorization codes:

voice-port 0/1/1

lpcor outgoing ild – (Defined the LPcor outgoing in voice-port 0/1/1 – dedicated for ILD – Long Distance)

disc_pi_off

input gain -6

echo-cancel mode 2

mwi

no vad

compand-type a-law

cptone FR

timeouts call-disconnect 1

connection plar 1000

threshold noise -60

bearer-cap Speech

Note: The biggest problem in an Environment / Scenario where we use lpcor is that we have to block dedicatedly one trunk / BRI / PRI port specifically only for ILDs (Calls with Authorization) and the 2nd line/trunk for Calls that don't need Authorization

Complete Configuration of LPcor in Short - Example:

voice lpcor enable

!

voice lpcor custom

group 10 ild

voice lpcor policy ild

service fac

accept ild fac

!

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login h323 local

aaa authorization exec h323 local

aaa authorization network h323 local

!

!

aaa session-id common

!

!

application

package auth

  param passwd-prompt flash:enter_pin.au

  param max-retries 0

  param user-prompt flash:enter_account.au

  param term-digit #

  param passwd 12345

  param abort-digit *

  param max-digits 32

!

!

username 786 password 0 54321

!

username 678 password 0 12345

!

!

ephone-dn 1 dual-line

number 1002

label Ganesh

ephone 1

lpcor type local

lpcor incoming ild

device-security-mode none

mac-address 0005.9A3C.7A00

type CIPC

button 1:1

!

!

voice register dn 2

number 4001

name cme-sip-2

label 4001

!

!

voice register pool 2

lpcor type remote

lpcor incoming ild

id mac 0030.94C2.9A55

number 1 dn 2

dtmf-relay rtp-nte sip-notify

voice-class codec 1

!

!

voice-port 0/1/0

disc_pi_off

input gain -6

echo-cancel mode 2

mwi

no vad

compand-type a-law

cptone FR

timeouts call-disconnect 1

threshold noise -60

bearer-cap Speech

!

!

!

voice-port 0/1/1

lpcor outgoing ild

disc_pi_off

input gain -6

echo-cancel mode 2

mwi

no vad

compand-type a-law

cptone FR

timeouts call-disconnect 1

threshold noise -60

bearer-cap Speech

Apart from these, you need to configure dial-peer cors, dial-plan pattern, translation pattern and other configuration as usual.

Note: There are lots of issues, mistakes and confusion in the Explanation provided in Cisco’s CME Administration Guide for LPCOR – FAC. Some of them are mismatched / wrongly given both in Detailed Steps as well as the Example provided for FAC (Forced Authorization Code)

Issue – 1:

There is lot of confusion and mistake in deciding which .au file to be taken for prompting the password and account-id.

There are two steps for this:

  • •1.       The first method, is it asks for an account id and the then it asks for the pin number, that should match with the associated username.   
    • •a.       For this method, you may / may not put the param password #### command. It doesn’t matter.
    • •b.      The au files I have selected for this method is: enter_account.au for ID & enter_pin.au for the PIN. This works perfectly fine.

  • •2.       The 2nd method – if you have put the param passwd #### command,   
    • •a.       Use the userprompt filename as enter_account.au
    • •b.      For the param passwd-prompt, use en_bacd_enter_dest.au file.

Once you enter the destination number, your call will get connected, as the password has already been forced into the configuration.

The 2nd Method will work, better for intercom calls or Local / STD calls. i.e;  when you enter the dial-out prefix (0 / 9) + Local Code & press #  It will ask for your Account ID. Enter the Account ID and press #. Then Enter the Destination Number you wish to reach. It will put your call through.

Logically this is correct; but technically incorrect; because according to the FAC Configuration / System,

  • •1.       It requires & asks for an ID & PIN. You cannot configure just a Username (account name) or a Password alone. It has to be bundled together. Every ID & its respective PIN is entered in Global Configuration Mode. Ex. Router(config)# username 12345 password 12345

  • •2.       Most Importantly - it asks for ID & PIN only after you have finished dialing. Ex. 0 + International Code + Number. Then it asks you to enter the ID and press #. Then Pin No. and press #. Then the call gets routed to the respective port

So Technically, the 2nd method will not work for International Numbers. What will you dial after it asks to dial the destination code? How will the cme associate the number dialed after putting the dial-out prefix and the number dialed when the FAC asks to enter the Destination Code? Ex. 0 – 44 # (account id) - Destination Number? It does not work at all. Also it does not make any sense.

Issue – 2:

There are some confusion in filenames as well. Even the audio provided inside the file, against the filename does not match.

  • •1.       en_bacd_welcome.au – does not ask you for an Account ID. It says “Thank you for calling”.

What is that supposed to mean?

  • •2.       en_bacd_enter_dest.au – will ask you to provide the destination number you wish to reach.

Where is the ID and / or Password asked in a scenario like this?

Issue – 3:

ephone 1

lpcor type local

// Sets the LPCOR type for an IP phone.

local—IP phone always registers to Cisco Unified CME through the LAN.

remote—IP phone always registers to Cisco Unified CME through the WAN.

The IP Phone has nothing to do with registration in this command. With the command lpcor type local, it actually searches for the authorization code locally with radius server from within the CME itself.

And Remote means it searches for the authorization code from a remote aaa server / other CME located in remote site.

I have tried to make the LPCor configuration a bit simple and easy to understand. Hope this helps.

Regards,

Ganesh

1159
Views
5
Helpful
1
Replies