Cisco Unified Communications Manager Express System Administrator Guide
Configuring Forced Authorization
Downloads: This chapterpdf (PDF - 325.0KB) The complete bookPDF (PDF - 17.1MB) | Feedback

Configuring Forced Authorization Code (FAC)

Table Of Contents

Configuring Forced Authorization Code (FAC)

Contents

Information About Forced Authorization Code

Forced Authorization Code Overview

How to Configure Forced Authorization Code

Enabling Forced Authorization Code (FAC) on LPCOR Groups

Prerequisites

Restrictions

Examples

Defining Parameters for Authorization Package

Configuration Examples for Forced Authorization Code

Additional References

Related Documents

Technical Assistance

Feature Information for Forced Authorization Code


Configuring Forced Authorization Code (FAC)


Last Updated: February 2, 2010

This chapter describes the Forced Authorization Code (FAC) feature in Cisco Unified Communications Manager Express (Cisco Unified CME) 8.5 and later versions.

Contents

Information About Forced Authorization Code

How to Configure Forced Authorization Code

Configuration Examples for Forced Authorization Code

Additional References

Feature Information for Forced Authorization Code

Information About Forced Authorization Code

To configure SNR, you should understand the following concept:

Forced Authorization Code Overview

Forced Authorization Code Overview

Cisco Unified CME 8.5 allows you to manage call access and call accounting through the Forced Authorization Code (FAC) feature. The FAC feature regulates the type of call a certain caller may place and forces the caller to enter a valid authorization code on the phone before the call is placed. FAC allows you to track callers dialing non-toll-free numbers, long distance numbers, and also for accounting and billing purposes.

In Cisco Unified CME and Cisco Voice Gateways, devices and endpoints are logically partitioned into different logical partitioning class of restriction (LPCOR) groups. For example, IP phones, Analog phones, PSTN trunks, and IP (h323/SIP) trunks as shown in Figure 39, are partitioned into five LPCOR groups under the voice lpcor custom mode, such as:

voice lpcor custom

group 10 Manager

group 11 LocalUser

group 12 RemoteUser

group 13 PSTNTrunk

group 14 IPTrunk

Figure 39 Forced Authorization Code Network Overview

For each group, the LPCOR group policy of a routing endpoint is enhanced to define incoming calls from individual LPCOR groups that are restricted by FAC. A LPCOR group call to a destination is accepted only when a valid FAC is entered. FAC service for a routing endpoint is enabled through the service fac defined in a LPCOR group policy. For more information, see Enabling Forced Authorization Code (FAC) on LPCOR Groups.

The following are the group policy rules applicable to the PSTNTrunk LPCOR group:

FAC is required by PSTNTrunk if a call is initiated from either LocalUser or RemoteUser group.

Any calls from Manager group are allowed to terminate to PSTNTrunk without restriction.

Any incoming calls from either IPTrunk or PSTNTrunk group are rejected and terminated to PSTNTrunk group.

For information on configuring LPCOR groups and associating LPCOR group with different device types, see Call Restriction Regulations.

FAC Call Flow

FAC is required for an incoming call based on the LPCOR policy defined for the call destination. Once the authentication is finished, the success or failure status and the collected FAC digits are saved to the call detail records (CDRs).

Calls are handled by a new built-in application authorization package which first plays a user-prompt for the caller to enter a username (in digits) then, the application plays a passwd-prompt for the caller to collect the password (in digits). The collected username and password digits are then used for FAC, see Defining Parameters for Authorization Package.

When FAC authentication is successful, the outgoing call setup is continued to the same destination. If FAC authentication fails, the call is then forwarded to the next destination. FAC operations are invoked to the call if FAC service is enabled in the next destination and no valid FAC status is saved for the call.

Any calls failing because of FAC blocking are disconnected with a LPCOR Q.850 disconnect cause code. Once the FAC is invoked for a call, the collected authorization digits and the authentication status information is collected by call active or call history records. You can retrieve the FAC information through the show call active voice and show call history voice commands.

Forced Authorization Code Specification

The authorization code used for call authentication must follow these specifications:

The authorization code must be in numeric (0 - 9) format.

A digit collection operation must be completed if either one of the following conditions occur:

maximum number of digits are collected

digit input times out

a terminating digit is entered

Once digit collection is completed, the authentication is done by either the external Radius server or Cisco Unified CME or Cisco Voice Gateways by using AAA Login Authentication setup. For more information on AAA login authentication methods, see Configuring Login Authentication Using AAA.

When authentication is done by local Cisco Unified CME or Cisco Voice Gateways, the username ac-code password 0 password command is required to authenticate the collected authorization code digits.

FAC data is stored through the CDR and new AAA fac-digits and fac-status attributes and are supported in a CDR STOP record. This CDR STOP record is formatted for file accounting, RADIUS or Syslog accounting purpose.

FAC Requirement for Different Types of Calls

Table 57 shows FAC support for different types of calls.

Table 57 Fac Support for different types of calls

Types of Calls
FAC Behavior for Different Calls

Basic Call

A calls B. B requires A to enter a FAC. A is routed to B only when A enters a valid FAC.

Call Forward All
Call Forward Busy

When A (with no FAC) calls B, A is call forwarded to C:

No FAC is required when B enables Call Forward All or Call Forward Busy to C.

FAC is required on A when A is call forwarded to C.

Call Forward No Answer

When A (with no FAC) calls B and A (with FAC) calls C:

A calls B:

No FAC is required when A calls B.

A is Call Forward No Answer (CFNA) to C.

FAC is required on A when A is call forward to C.

Call Transfer (Blind)

FAC is required, if B calls C and A, and A calls C.

Example:

A calls B. B answers the call. B initiates a blind transfer call to C. A is prompted to enter FAC. A is routed to C only if a valid FAC is entered by A.

Call Transfer (Consultation)

Transfer Complete at Alerting State

1. FAC is required if B calls C. FAC is not required when A calls C,

Example:

a. A calls B. B answers the call and initiates a consultation transfer to C.

b. B is prompted to enter a FAC and B is not allowed to complete the call transfer when FAC is not completed.

c. B (the transfer call) is forwarded to C after a valid FAC is entered. B completes the transfer while the transfer call is still ringing on C. A is then transferred to C.

2. FAC is required if B calls C and A calls C.

Example:

a. A calls B. B answers the call and initiates a consultation transfer to C.

b. B is prompted to enter a FAC and B is not allowed to complete the call transfer when FAC is not completed.

c. No FAC is required to A, A is then transferred to C.

3. FAC is not required if B calls C but FAC is required if A calls C.

Example:

a. A calls B, B answers the call.

b. B initiates a consultation transfer to C and completes the transfer.

c. No FAC required to A, A is then transferred to C.

Transfer Complete at Connected State

1. FAC is required when A calls C.

Example:

a. A calls B, B answers the call and initiates a consultation transfer to C.

b. C answers the transfer call and B completes the transfer.

c. No FAC required to connect to A (including local hairpin calls because the call transfer is complete) and A is connected to C.

Conference Call (Software/Adhoc)

1. FAC is not invoked when a call is joined to a conference connection.

2. FAC is required between A and C, B and C.

Example:

a. A calls B, B answers the call and initiates a conference call to C.

b. B enters a valid authorization code and is routed to C.

c. C answers the conference call and the conference is complete.

d. No FAC is required to connect to A and A is joined to a conference connection.

Meetme Conference

1. FAC is not invoked for a caller to join the meetme conference.

2. FAC is required between A and C, B and C.

Example:

a. C joins the meetme conference first.

b. No FAC is required if B joins the same meetme conference.

c. No FAC is required if C also joins the same meetme conference.

Call Park and Retrieval

1. FAC is not invoked for the parked call.

2. FAC is required if C calls A.

Example:

a. A calls B, B answers the call and parks the caller on A.

b. C retrieves the parked call (A), no FAC is required to reach C, and C is connected to A.

Call Park Restore

1. FAC is required if A calls D.

Example:

a. A calls B, B answers the call and parks the caller on A.

b. Parked call (A) is timed out from a call-park slot and is forwarded to D.

c. No FAC is required for D and the parked call (A) will ring on D.

Group Pickup

1. FAC is not provided if a caller picks up a group call.

2. FAC is required if C calls A.

Example:

a. A calls B, A is ringing on B, and C attempts to pickup call A.

b. No FAC is required for C and C is connected to A.

Single Number Redirection (SNR)

FAC is not supported for an SNR call.

Third Party Call Control (3pcc)

FAC is not supported for a three-party call control (3pcc) outgoing call.

Parallel Hunt Groups

FAC is not supported on parallel hunt groups.

Whisper intercom

FAC is not supported for whisper intercom calls.


How to Configure Forced Authorization Code

This section contains the following task:

Enabling Forced Authorization Code (FAC) on LPCOR Groups

Defining Parameters for Authorization Package

Enabling Forced Authorization Code (FAC) on LPCOR Groups

To enable FAC, perform the following steps.

Prerequisites

You must enable the voice lpcor enable command before configuring FAC.

Trunks (IP and PSTN) must be associated with phones into different LPCOR groups. See the Associating a LPCOR Policy with Analog Phone or PSTN Trunk Calls for more information.

Restrictions

Authenticated FAC data is saved to a call-leg from which the authorization code is collected. When a call-forward or blind transfer call scenario triggers a new call due to the SIP notify feature, the same caller is required to enter the authorization code again for FAC authentication.


Warning A FAC pin code must be unique and not the same as an extension number. Cisco Unified CME, Cisco Unified SRST, and Cisco Voice Gateways will not validate whether a collected FAC pin code matches an extension number.

SUMMARY STEPS

1. enable

2. configure terminal

3. voice lpcor enable

4. voice lpcor custom

5. group number lpcor-group

6. exit

7. voice lpcor policy lpcor-group

8. accept lpcor-group fac

9. service fac

10. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

voice lpcor enable

Example:

Router(config)# voice lpcor enable

Enables LPCOR functionality on the Cisco Unified CME router.

Step 4 

voice lpcor custom

Example:

Router(config)# voice lpcor custom

Defines the name and number of LPCOR resource groups on the Cisco Unified CME router.

Step 5 

group number lpcor-group

Example:

Router(cfg-lpcor-custom)#group 10 Manager

Router(cfg-lpcor-custom)#group 11 LocalUser

Router(cfg-lpcor-custom)#group 12 RemoteUser

Router(cfg-lpcor-custom)#group 13 PSTNTrunk

Router(cfg-lpcor-custom)#group 14 IPTrunk

Adds a LPCOR resource group to the custom resource list.

number—Group number of the LPCOR entry. Range: 1 to 64.

lpcor-group—String that identifies the LPCOR resource group.

Step 6 

exit

Example:

Router(conf-voi-serv)# exit

Exits voice-service configuration mode.

Step 7 

voice lpcor policy lpcor-group

Example:

Router(cfg-lpcor-custom)#group 10 Manager

Router(cfg-lpcor-custom)#group 11 LocalUser

Router(cfg-lpcor-custom)#group 12 RemoteUser

Router(cfg-lpcor-custom)#group 13 PSTNTrunk

Router(cfg-lpcor-custom)#group 14 IPTrunk

Creates a LPCOR policy for a resource group.

lpcor-group—Name of the resource group that you defined in Step 5.

Step 8 

accept lpcor-group fac

Example:

Router(cfg-lpcor-policy)# accept PSTNTrunk fac

Router(cfg-lpcor-policy)# accept Manager fac

Allows a LPCOR policy to accept calls associated with the specified resource group.

Default: Calls from other groups are rejected; calls from the same resource group are accepted.

fac—Valid forced authorization code that the caller needs to enter before the call is routed to its destination.

Repeat this command for each resource group whose calls you want this policy to accept.

Step 9 

service fac

Example:

Router(cfg-lpcor-policy)#service fac

Enables force authorization code service for a LPCOR group.

Default: No form of the service fac command is the default setting of a LPCOR group policy.

Step 10 

end

Example:

Router(config-ephone)# end

Returns to privileged EXEC mode.

Examples

Router# show voice lpcor policy

voice lpcor policy PSTNTrunk (group 13):

service fac is enabled

( accept ) Manager (group 10)

( reject ) LocalUser (group 11)

( reject ) RemoteUser (group 12)

( accept ) PSTNTrunk (group 13)

( reject ) IPTrunk (group 14)

Defining Parameters for Authorization Package

To define required parameters for user name and password, follow these steps:

SUMMARY STEPS

1. enable

2. configure terminal

3. application

4. package auth

5. param passwd string

6. param user-prompt filename

7. param passwd-prompt filename

8. param max-retries

9. param term-digit

10. param abort-digit

11. param max-digits

12. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

application

Example:

Router(config)#application

Router(config-app)#

Enters the application configuration mode.

Step 4 

package auth

Example:

Router(config-app)#package auth

Enters package authorization configuration mode.

Step 5 

param passwd

Example:

Router(config-app)#package param passwd 12345

Character string that defines a predefined password for authorization.

Note Password digits collection is optional if password digits are predefined in the param passwd command.

Step 6 

param user-prompt filename

Example:

Router(config-app-param)#param user-prompt flash:en_bacd_enter_dest.au

Allows you to enter the user name parameters required for package authorization for FAC authentication.

user-prompt filename — Plays an audio prompt requesting the caller to enter a valid username (in digits) for authorization.

Step 7 

param passwd-prompt filename

Example:

Router(config-app-param)#param passwd-prompt flash:en_welcome.au

Allows you to enter the password parameters required for package authorization for FAC authentication.

passwd-prompt filename— Plays an audio prompt requesting the caller to enter a valid password (in digits) for authorization.

Step 8 

param max-retries

Example:

Router(config-app-param)#param max-retries 0

Specifies number of attempts to re-enter an account or a password

max-entries—Value ranges from 0-10, default value is 0.

Step 9 

param term-digit

Example:

Router(config-app-param)#param term-digit #

Specifies digit for terminating an account or a password digit collection.

Step 10 

param abort-digit

Example:

Router(config-app-param)#param abort-digit *

Specifies the digit for aborting username or password digit input. Default value is *.

Step 11 

param max-digits

Example:

Router(config-app-param)#param max-digits 32

Maximum number of digits in a username or password. Range of valid value: 1 - 32. Default value is 32.

Step 12 

exit

Example:

Router(conf-app-param)# exit

Exits package authorization parameter configuration mode.

Configuration Examples for Forced Authorization Code

This section provides configuration example for Forced Authorization Code.

!

gw-accounting aaa

!

aaa new-model

!

aaa authentication login default local

aaa authentication login h323 local

aaa authorization exec h323 local

aaa authorization network h323 local

!

aaa session-id common

!

voice lpcor enable

voice lpcor custom

group 11 LocalUser

group 12 AnalogPhone

!

voice lpcor policy LocalUser

service fac

accept LocalUser fac

accept AnalogPhone fac

!

voice lpcor policy AnalogPhone

service fac

accept LocalUser fac

accept AnalogPhone fac

!

application

package auth

param passwd-prompt flash:en_bacd_welcome.au

param passwd 54321

param user-prompt flash:en_bacd_enter_dest.au

param term-digit #

param abort-digit *

param max-digits 32

!

username 786 password 0 54321

!

voice-port 0/1/0

station-id name Phone1

station-id number 1235

caller-id enable

!

voice-port 0/1/1

lpcor incoming AnalogPhone

lpcor outgoing AnalogPhone

!

dial-peer voice 11 pots

destination-pattern 99329

port 0/1/1

!

ephone-dn 102 dual-line

number 786786

label HussainFAC

!

!

ephone 102

lpcor type local

lpcor incoming LocalUser

lpcor outgoing LocalUser

device-security-mode none

mac-address 0005.9A3C.7A00

type CIPC

button 1:102

!

Additional References

The following sections provide references related to Cisco Unified CME features.

Related Documents


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for Forced Authorization Code

Table 58 lists the features in this module and enhancements to the features by version.

To determine the correct Cisco IOS release to support a specific Cisco Unified CME version, see the Cisco Unified CME and Cisco IOS Software Version Compatibility Matrix at http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/requirements/guide/33matrix.htm.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Note Table 58 lists the Cisco Unified CME version that introduced support for a given feature. Unless noted otherwise, subsequent versions of Cisco Unified CME software also support that feature.


Table 58 Feature Information for Single Number Reach

Feature Name
Cisco Unified CME Version
Modification

Forced Authorization Code

8.5

Introduced the FAC feature.