nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

COR and LPCOR on Cisco Call Manager Express confusion?

xrayhead

Hi All

I'm, just about to configure my class of restrictions on a CME router and I've just checked the latest SRND and they are now listing LPCOR (Logical Partition Class of Restriction). Have Cisco changed the set-up of there Class of Service? I was all geared up to go with the system configuration using COR list's!

I had a look through the set up and it looks a lot more complicated than the old COR or am I missing something? Maybe CBT Nuggets Jeremy describes the old COR setup to easerly!

Any help would be much appreciated;

Xray

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

azaghul

A quick search finds this link:

Cisco Unified Communications Manager Express System Administrator Guide - Call Restriction Regulations [Cisco Unified Communications Manager Express] - Cisco Systems

LPCOR was designed for the Indian VoIP market, though I'm sure it will find application elsewhere.

xrayhead

azaghul wrote: »

A quick search finds this link:

Cisco Unified Communications Manager Express System Administrator Guide - Call Restriction Regulations* [Cisco Unified Communications Manager Express] - Cisco Systems

LPCOR was designed for the Indian VoIP market, though I'm sure it will find application elsewhere.

Many thanks for that, it dose seem very complicated! All I want to do is create a Class of Service range and apply it to each phone on the system.
I don't care is VoIP calls PSTN, as long as they have the correct CLS to allow them to do so!

Sorry I was big into my Nortel Meridian PBX's before I started on Cisco and I don't seem to be able to shake the habit of what was called NCOS (Network Class of Service).

Xray

pitviper

Interesting. Never seen LPCOR before. COR is what you want – once you get your head around it (process is a little "odd" at first) it'll make sense going forward.

ganuiyer

Hi,

Please do go through the steps. Hope this helps.

FAC (Forced Authorization Code) – LPCOR for SIP & SCCP Phones

Before Defining LPCOR, please keep in mind that; Enable LPCOR functionality and define a policy for each resource group that requires call restrictions. You can define one LPCOR policy for each resource group. Do not create a LPCOR policy for resource groups that do not require call restrictions. Maximum of the procedures are same as configuring dial-peer COR list.

voice lpcor enable
// Enabling the lpcor functionality on the Cisco Unified CME router.

voice lpcor custom
// Defines the name and number of LPCOR resource groups on the Cisco Unified CME router.
group 10 ild
// Adds an LPCOR resource group to the custom resource list.
number—Group number of the LPCOR entry. Range: 1 to 64.
lpcor-group—String that identifies the LPCOR resource group.

voice lpcor policy ild
// Creates a LPCOR policy for a resource group.
lpcor-group—Name of the resource group that you defined above (in our example ild).

service fac
// Enable FAC Service for a routing endpoint defined in a LPCOR group policy

accept ild fac
// fac—Valid Forced Authorization Code that the caller needs to enter before the call is routed to its destination

There is no big point in putting the FAC command after accept ild because, even if you do not put the fac, it will still ask you for an authorization code. Reason, you will know, when you read the configuration below.

If you create any other group say Ex. group local, in the same voice lpcor custom and do not enter it in the lpcor policy ild, it will get rejected (even before the process to ask for a code & pin). Calls will not even pass through the trunk.

The steps for accept and reject is configured, when you have more than 2/3 groups & 3/4 different gateways / trunks and you do not want anybody else (apart from the ones you have configured to accept) to pass through a specific trunk.
* Create only those groups that you need to be asked for an authorization code. Don’t get confused.

Just look at the Example of show voice lpcor policy below. The ones that the output shows as reject, will not be allowed to make calls from that trunk which is allowed for a particular group. It means, that only groups Manger & PSTNTrunk will be allowed to make calls (by putting an id & pin). Local Users, Remote Users, & IP Trunk users will not be allowed to make calls. Their calls will be rejected & they will get a fast busy tone.

Router# show voice lpcor policy
voice lpcor policy PSTNTrunk (group 13):
service fac is enabled
( accept ) Manager (group 10)
( reject ) LocalUser (group 11)
( reject ) RemoteUser (group 12)
( accept ) PSTNTrunk (group 13)
( reject ) IPTrunk (group 14)

Defining Parameters for Authorization Package:

enable
configure terminal

application
// Enters the application configuration mode.

package auth
// Enters package authorization configuration mode.

param passwd-prompt flash:enter_pin.au
// Allows you to enter the password parameters required for package authorization for FAC authentication
passwd-prompt filename — Plays an audio prompt requesting the caller to enter a valid password (in digits) for authorization

param max-retries 0
// Specifies number of attempts to re-enter an account or a password – default value 0

param user-prompt flash:enter_account.au
// Allows you to enter the user name parameters required for package authorization for FAC authentication.
user-prompt filename — Plays an audio prompt requesting the caller to enter a valid username (in digits) for authorization

param term-digit #
// Specifies digit for terminating an account or a password digit collection. You have to press # after you have input your id and then put your pin and press #. # is the terminator to make the CME understand that you have finished entering your ID / PIN.

param passwd 12345
// Character string that defines a predefined password for authorization. Note: Password digits collection is optional if password digits are predefined in the param passwd command.

param abort-digit *
//Specifies the digit for aborting username or password digit input. Default value is *.

param max-digits 32
//Maximum number of digits in a username or password. Range of valid value: 1 - 32. Default value is 32.

You have to configure the aaa to force the FAC for Code and PIN:

gw-accounting aaa
!
aaa new-model
!
aaa authentication login default local
aaa authentication login h323 local
aaa authorization exec h323 local
aaa authorization network h323 local
!
aaa session-id common

Define the Username & Password:

username 786 password 0 54321

username 678 password 0 12345

Configuring the LPCOR with Ephone-DNs:

ephone-dn 1 dual-line
number 1002
label Ganesh

ephone 1
lpcor type local
// Sets the LPCOR type for an IP phone.
• local—IP phone always registers to Cisco Unified CME through the LAN.
• remote—IP phone always registers to Cisco Unified CME through the WAN.

lpcor incoming ild
// Associates a LPCOR resource-group policy with an incoming call
Note: Do not use different lpcor group policies for a shared ephone-dn.

device-security-mode none
mac-address 0005.9A3C.7A00
type CIPC
button 1:1

Same is used for SIP Phones:

voice register pool 2
lpcor type remote
lpcor incoming ild
id mac 0030.94C2.9A55
type 7960
number 1 dn 2
dtmf-relay rtp-nte sip-notify

Note: If you do not put rtp-nte, it will skip the process of asking for the Authorization Code and you will not be able to make any calls

Configuring the LPCORs with the ISDN (BRI / PRI) Ports:

The Example Provided below is my BRI Configuration:

This Voice Port 0/1/0 – is used for Local Calls only without any authorization codes

voice-port 0/1/0
disc_pi_off
input gain -6
echo-cancel mode 2
mwi
no vad
compand-type a-law
cptone FR
timeouts call-disconnect 1
connection plar 1000
threshold noise -60
bearer-cap Speech

This Voice Port 0/1/1 – is used for only International Calls with authorization codes:

voice-port 0/1/1
lpcor outgoing ild – (Defined the LPcor outgoing in voice-port 0/1/1 – dedicated for ILD – Long Distance)
disc_pi_off
input gain -6
echo-cancel mode 2
mwi
no vad
compand-type a-law
cptone FR
timeouts call-disconnect 1
connection plar 1000
threshold noise -60
bearer-cap Speech

Note: The biggest problem in an Environment / Scenario where we use lpcor is that we have to block dedicatedly one trunk / BRI / PRI port specifically only for ILDs (Calls with Authorization) and the 2^nd line/trunk for Calls that don't need Authorization

Complete Configuration of LPcor in Short - Example:

voice lpcor enable
!
voice lpcor custom
group 10 ild

voice lpcor policy ild
service fac
accept ild fac
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login h323 local
aaa authorization exec h323 local
aaa authorization network h323 local
!
!
aaa session-id common
!
!
application
package auth
param passwd-prompt flash:enter_pin.au
param max-retries 0
param user-prompt flash:enter_account.au
param term-digit #
param passwd 12345
param abort-digit *
param max-digits 32
!
!
username 786 password 0 54321
!
username 678 password 0 12345
!
!
ephone-dn 1 dual-line
number 1002
label Ganesh

ephone 1
lpcor type local
lpcor incoming ild
device-security-mode none
mac-address 0005.9A3C.7A00
type CIPC
button 1:1
!
!

voice register dn 2
number 4001
name cme-sip-2
label 4001
!
!
voice register pool 2
lpcor type remote
lpcor incoming ild
id mac 0030.94C2.9A55
number 1 dn 2
dtmf-relay rtp-nte sip-notify
voice-class codec 1
!
!
voice-port 0/1/0
disc_pi_off
input gain -6
echo-cancel mode 2
mwi
no vad
compand-type a-law
cptone FR
timeouts call-disconnect 1
threshold noise -60
bearer-cap Speech
!
!
!
voice-port 0/1/1
lpcor outgoing ild
disc_pi_off
input gain -6
echo-cancel mode 2
mwi
no vad
compand-type a-law
cptone FR
timeouts call-disconnect 1
threshold noise -60
bearer-cap Speech

Apart from these, you need to configure dial-peer cors, dial-plan pattern, translation pattern and other configuration as usual.

Note: There are lots of issues, mistakes and confusion in the Explanation provided in Cisco’s CME Administration Guide for LPCOR – FAC. Some of them are mismatched / wrongly given both in Detailed Steps as well as the Example provided for FAC (Forced Authorization Code)

Issue – 1:
There is lot of confusion and mistake in deciding which .au file to be taken for prompting the password and account-id.
There are two steps for this:

1. The first method, is it asks for an account id and the then it asks for the pin number, that should match with the associated username.

a. For this method, you may / may not put the param password #### command. It doesn’t matter.

b. The au files I have selected for this method is: enter_account.au for ID & enter_pin.au for the PIN. This works perfectly fine.

2. The 2^nd method – if you have put the param passwd #### command,

a. Use the userprompt filename as enter_account.au

b. For the param passwd-prompt, use en_bacd_enter_dest.au file.

Once you enter the destination number, your call will get connected, as the password has already been forced into the configuration.

The 2^nd Method will work, better for intercom calls (between sites) or Local / STD calls. i.e; when you enter the dial-out prefix (0 / 9) + Local Code & press # It will ask for your Account ID. Enter the Account ID and press #. Then Enter the Destination Number you wish to reach. It will put your call through.

Logically this is correct; but technically incorrect; because according to the FAC Configuration / System,

1. It requires & asks for an ID & PIN. You cannot configure just a Username (account name) or a Password alone. It has to be bundled together. Every ID & its respective PIN is entered in Global Configuration Mode. Ex. Router(config)# username 12345 password 12345

2. It asks for ID & PIN only after you have finished dialing. Ex. 0 + International Code + Number. Then it asks you to enter the ID and press #. Then Pin No. and press #. Then the call gets routed to the respective port

So Technically, the 2^nd method will not work for International Numbers. What will you dial after it asks to dial the destination code? How will the cme associate the number dialed after putting the dial-out prefix and the number dialed when the FAC asks to enter the Destination Code? Ex. 0 – 44 # (account id) - Destination Number? It does not work at all. Also it does not make any sense.

Issue – 2:

There are some confusion in filenames as well. Even the audio provided inside the file, against the filename does not match.

1. en_bacd_welcome.au – does not ask you for an Account ID. It says “Thank you for calling”. What is that supposed to mean?

2. en_bacd_enter_dest.au – will ask you to provide the destination number you wish to reach. Where is the ID and / or Password asked in a scenario like this?

Issue – 3:
ephone 1
lpcor type local
// Sets the LPCOR type for an IP phone.
• local—IP phone always registers to Cisco Unified CME through the LAN.
• remote—IP phone always registers to Cisco Unified CME through the WAN.

The IP Phone has nothing to do with registration in this command. With the command lpcor type local, it actually searches for the authorization code locally with radius server from within the CME itself.

And Remote means it searches for the authorization code from a remote aaa server / other CME located in remote site.

I have tried to make the LPCor configuration a bit simple and easy to understand. Hope this helps.

Important: I was not able to attach any of the .au files / zip files. You can download the latest FAC-SBCS.zip from Cisco website / pm / mail me with your personal e-mail address. I will mail you the files.

Link: ftp://ftpeng.cisco.com/sbcs/FAC-SBCS.zip

Regards,
Ganesh

faiqmahdi

Hi Ganesh

Found your thread about FAC and CUCME almost all websites. I really appreciate it.. I am facing some issue for the same.. Can you please guide me where i went wrong..

--
Hi Guyz...

I am trying to configure FAC over CUCME 8.6 for only International Calls. I searched different threads and come across to my final configuraion.

The problem is that the call does not go through. I do not hear any Voice Prompt to Enter Username and PIN.

My Flash does have all the files and It hits the correct Dial-peer also.

gw-accounting aaa
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login AAA-AUT local
aaa authorization exec AAA-AUT local
aaa authorization network AAA-AUT local
!
!
voice lpcor enable
voice lpcor custom
group 10 ild
group 11 LocalUser
group 12 RemoteUser
group 13 PSTNTrunk
group 14 IPTrunk
!
voice lpcor policy ild
service fac
accept ild fac
!
application
package auth
param max-retries 5
param passwd-prompt flash:en_bacd_welcome.au
param abort-digit *
param term-digit #
param user-prompt flash:en_bacd_enter_dest.au
param passwd 12345
param max-digits 32
!
username 5008 password 0 5008
username 5008 autocommand exit
!
!
voice-port 0/0/1
lpcor outgoing ild
connection plar 5008
station-id name FAC-Testing
caller-id enable

dial-peer voice 50 pots
description **x** International Call **x**
destination-pattern 9T
port 0/0/1
!

ephone 6
lpcor type local
lpcor incoming ild
device-security-mode none
mac-address 001C.58F0.B616
username "Study" password rtb86801
type 7971
button 1:9 7m1 8w1

tftp-server flash:cme-b-acd-2.1.2.3/en_bacd_disconnect.au alias en_bacd_disconnect.au
tftp-server flash:cme-b-acd-2.1.2.3/en_bacd_enter_dest.au alias en_bacd_enter_dest.au
tftp-server flash:cme-b-acd-2.1.2.3/en_bacd_invalidoption.au alias en_bacd_invalidoption.au
tftp-server flash:cme-b-acd-2.1.2.3/en_bacd_music_on_hold.au alias en_bacd_music_on_hold.au
tftp-server flash:cme-b-acd-2.1.2.3/en_bacd_options_menu.au alias en_bacd_options_menu.au
tftp-server flash:cme-b-acd-2.1.2.3/en_bacd_welcome.au alias en_bacd_welcome.au
tftp-server flash:cme-b-acd-2.1.2.3/en_bacd_xferto_operator.au alias en_bacd_xferto_operator.au

Home#dir flash:cme-b-acd-2.1.2.3
Directory of flash:/cme-b-acd-2.1.2.3/

445 -rw- 19191 Nov 21 2008 13:19:00 +04:00 app-b-acd-2.1.2.3-ReadMe.txt
446 -rw- 26087 Apr 18 2008 14:47:26 +04:00 app-b-acd-2.1.2.3.tcl
447 -rw- 37673 May 7 2008 20:42:10 +04:00 app-b-acd-aa-2.1.2.3.tcl
448 -rw- 75650 Oct 27 2004 03:57:28 +04:00 en_bacd_allagentsbusy.au
449 -rw- 83291 Oct 27 2004 03:57:28 +04:00 en_bacd_disconnect.au
450 -rw- 63055 Oct 27 2004 03:57:28 +04:00 en_bacd_enter_dest.au
451 -rw- 37952 Oct 27 2004 03:57:28 +04:00 en_bacd_invalidoption.au
452 -rw- 496521 Dec 18 2001 04:46:28 +04:00 en_bacd_music_on_hold.au
453 -rw- 123446 Oct 27 2004 03:57:28 +04:00 en_bacd_options_menu.au
454 -rw- 42978 Apr 1 2005 03:47:40 +04:00 en_bacd_welcome.au
455 -rw- 34794 Aug 12 2006 10:02:50 +04:00 en_bacd_xferto_operator.au

509657088 bytes total (391176192 bytes free)
Home#

--